Tool
SIEM
Sigma (generic) detection rules
1,715 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Expand any rule to see its raw YAML and convert it inline to native query syntax. Pick a platform above to browse every rule already rendered in that language.
Get the raw rules from SigmaHQ Detection Rules
The raw generic YAML, served by SigmaHQ. Pick a platform above to download a ready-to-deploy converted pack.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence43
Privilege Escalation20
Stealth83
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
15 shown of 1,715
high
Strong
Medium FP
Windows Hypervisor Enforced Code Integrity Disabled
Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel
view Sigma YAML
title: Windows Hypervisor Enforced Code Integrity Disabled
id: 8b7273a4-ba5d-4d8a-b04f-11f2900d043a
related:
- id: 6225c53a-a96e-4235-b28f-8d7997cd96eb
type: similar
status: test
description: |
Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel
references:
- https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/
- https://github.com/redcanaryco/atomic-red-team/blob/04e487c1828d76df3e834621f4f893ea756d5232/atomics/T1562.001/T1562.001.md#atomic-test-43---disable-hypervisor-enforced-code-integrity-hvci
author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati
date: 2023-03-14
modified: 2024-07-05
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith:
- '\Control\DeviceGuard\HypervisorEnforcedCodeIntegrity'
- '\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity\Enabled'
- '\Microsoft\Windows\DeviceGuard\HypervisorEnforcedCodeIntegrity'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Legitimate system administration tasks that require disabling HVCI for troubleshooting purposes when certain drivers or applications are incompatible with it.
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled/info.yml
simulation:
- type: atomic-red-team
name: Disable Hypervisor-Enforced Code Integrity (HVCI)
technique: T1562.001
atomic_guid: 70bd71e6-eba4-4e00-92f7-617911dbe020
Convert to SIEM query
high
Moderate
High FP
Windows Internet Hosted WebDav Share Mount Via Net.EXE
Detects when an internet hosted webdav share is mounted using the "net.exe" utility
view Sigma YAML
title: Windows Internet Hosted WebDav Share Mount Via Net.EXE
id: 7e6237fe-3ddb-438f-9381-9bf9de5af8d0
status: test
description: Detects when an internet hosted webdav share is mounted using the "net.exe" utility
references:
- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-21
modified: 2023-07-25
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
selection_cli:
CommandLine|contains|all:
- ' use '
- ' http'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Windows LAPS Credential Dump From Entra ID
Detects when an account dumps the LAPS password from Entra ID.
view Sigma YAML
title: Windows LAPS Credential Dump From Entra ID
id: a4b25073-8947-489c-a8dd-93b41c23f26d
status: test
description: Detects when an account dumps the LAPS password from Entra ID.
references:
- https://twitter.com/NathanMcNulty/status/1785051227568632263
- https://www.cloudcoffee.ch/microsoft-365/configure-windows-laps-in-microsoft-intune/
- https://techcommunity.microsoft.com/t5/microsoft-entra-blog/introducing-windows-local-administrator-password-solution-with/ba-p/1942487
author: andrewdanis
date: 2024-06-26
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1098.005
logsource:
product: azure
service: auditlogs
detection:
selection:
category: 'Device'
activityType|contains: 'Recover device local administrator password'
additionalDetails.additionalInfo|contains: 'Successfully recovered local credential by device id'
condition: selection
falsepositives:
- Approved activity performed by an Administrator.
level: high
Convert to SIEM query
high
Moderate
Medium FP
Windows Shell/Scripting Application File Write to Suspicious Folder
Detects Windows shells and scripting applications that write files to suspicious folders
view Sigma YAML
title: Windows Shell/Scripting Application File Write to Suspicious Folder
id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43
status: test
description: Detects Windows shells and scripting applications that write files to suspicious folders
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2021-11-20
modified: 2023-03-29
tags:
- attack.execution
- attack.t1059
logsource:
category: file_event
product: windows
detection:
selection_1:
Image|endswith:
- '\bash.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\msbuild.exe' # https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
- '\powershell.exe'
- '\pwsh.exe'
- '\sh.exe'
- '\wscript.exe'
TargetFilename|startswith:
- 'C:\PerfLogs\'
- 'C:\Users\Public\'
selection_2:
Image|endswith:
- '\certutil.exe'
- '\forfiles.exe'
- '\mshta.exe'
# - '\rundll32.exe' # Potential FP
- '\schtasks.exe'
- '\scriptrunner.exe'
- '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
TargetFilename|contains:
- 'C:\PerfLogs\'
- 'C:\Users\Public\'
- 'C:\Windows\Temp\'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Windows Shell/Scripting Processes Spawning Suspicious Programs
Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.
view Sigma YAML
title: Windows Shell/Scripting Processes Spawning Suspicious Programs
id: 3a6586ad-127a-4d3b-a677-1e6eacdf8fde
status: test
description: Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.
references:
- https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
author: Florian Roth (Nextron Systems), Tim Shelton
date: 2018-04-06
modified: 2023-05-23
tags:
- attack.execution
- attack.stealth
- attack.t1059.005
- attack.t1059.001
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
# - '\cmd.exe' # too many false positives
- '\rundll32.exe'
- '\cscript.exe'
- '\wscript.exe'
- '\wmiprvse.exe'
- '\regsvr32.exe'
Image|endswith:
- '\schtasks.exe'
- '\nslookup.exe'
- '\certutil.exe'
- '\bitsadmin.exe'
- '\mshta.exe'
filter_ccmcache:
CurrentDirectory|contains: '\ccmcache\'
filter_amazon:
ParentCommandLine|contains:
# FP - Amazon Workspaces
- '\Program Files\Amazon\WorkSpacesConfig\Scripts\setup-scheduledtask.ps1'
- '\Program Files\Amazon\WorkSpacesConfig\Scripts\set-selfhealing.ps1'
- '\Program Files\Amazon\WorkSpacesConfig\Scripts\check-workspacehealth.ps1'
- '\nessus_' # Tenable/Nessus VA Scanner
filter_nessus:
CommandLine|contains: '\nessus_' # Tenable/Nessus VA Scanner
filter_sccm_install:
ParentImage|endswith: '\mshta.exe'
Image|endswith: '\mshta.exe'
ParentCommandLine|contains|all:
- 'C:\MEM_Configmgr_'
- '\splash.hta'
- '{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}'
CommandLine|contains|all:
- 'C:\MEM_Configmgr_'
- '\SMSSETUP\BIN\'
- '\autorun.hta'
- '{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}'
condition: selection and not 1 of filter_*
falsepositives:
- Administrative scripts
- Microsoft SCCM
level: high
Convert to SIEM query
high
Strong
Medium FP
Windows Suspicious Child Process from Node.js - React2Shell
Detects suspicious child processes started by Node.js server processes on Windows, which may indicate exploitation of vulnerabilities like CVE-2025-55182 (React2Shell).
Attackers can abuse the Node.js 'child_process' module to run system commands or scripts using methods such as spawn(), exec(), execFile(), fork(), or execSync().
If execSync() or exec() is used in the exploit, the command line often shows a shell (e.g., cmd.exe /d /s /c ...) running a suspicious command unless other shells are explicitly invoked.
For other methods, the spawned process appears directly in the Image field unless a shell is explicitly used.
view Sigma YAML
title: Windows Suspicious Child Process from Node.js - React2Shell
id: 271de298-cc0e-4842-acd8-079a0a99ea65
related:
- id: c70834fa-fb9d-4aa0-9e7d-45ceed36f3f7
type: similar
status: experimental
description: |
Detects suspicious child processes started by Node.js server processes on Windows, which may indicate exploitation of vulnerabilities like CVE-2025-55182 (React2Shell).
Attackers can abuse the Node.js 'child_process' module to run system commands or scripts using methods such as spawn(), exec(), execFile(), fork(), or execSync().
If execSync() or exec() is used in the exploit, the command line often shows a shell (e.g., cmd.exe /d /s /c ...) running a suspicious command unless other shells are explicitly invoked.
For other methods, the spawned process appears directly in the Image field unless a shell is explicitly used.
references:
- https://github.com/msanft/CVE-2025-55182
- https://nodejs.org/api/child_process.html#class-childprocess
- https://gist.github.com/swachchhanda000/a0228130f86a2dedfbcebb415b47f870
- https://github.com/nasbench/Misc-Research/blob/2f651ede832ab34027a7ba005b63bb78f1ade378/Other/React-Next-Child-Processes-Notes.md
author: Swachchhanda Shrawan Poudel (Nextron Systems), Nasreddine Bencherchali
date: 2025-12-05
tags:
- attack.execution
- attack.t1059
- attack.initial-access
- attack.t1190
- detection.emerging-threats
- cve.2025-55182
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\node.exe'
ParentCommandLine|contains:
- '--experimental-https'
- '--experimental-next-config-strip-types'
- '\node_modules\next'
- 'next dev'
- 'next start'
- 'next" start'
- 'node_modules\\.bin\\\\..\\next' # We escape every backslash to avoid confusion
- 'react-scripts start'
- 'start-server.js'
selection_generic_child_img:
# Observed when child_process.spawn(), child_process.exec(), child_process.execFile(), or child_process.fork() method is used to spawn suspicious processes
- Image|endswith:
- '\bash.exe'
- '\bitsadmin.exe'
- '\certutil.exe'
- '\cscript.exe'
- '\curl.exe'
- '\ipconfig.exe'
- '\mshta.exe'
- '\net.exe'
- '\net1.exe'
- '\netsh.exe'
- '\nslookup.exe'
- '\OpenConsole.exe'
- '\perl.exe'
- '\ping.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\py.exe'
- '\python.exe'
- '\pythonw.exe'
- '\pyw.exe'
- '\reg.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\sc.exe'
- '\sh.exe'
- '\systeminfo.exe'
- '\wget.exe'
- '\whoami.exe'
- '\wmic.exe'
- '\wscript.exe'
- '\wt.exe'
- Image|contains: '\python'
selection_generic_child_cli_susp_pattern:
# Observed when child_process.execSync() is used to spawn suspicious processes
# Reference: https://nodejs.org/api/child_process.html#child_processexecsynccommand-options
# In default, the cli will look something like `C:\WINDOWS\System32\cmd.exe /d /s /c "...susp..cli...."`
CommandLine|contains:
- '\net'
- 'bitsadmin'
- 'certutil '
- 'conhost --headless'
- 'cscript '
- 'curl'
- 'ipconfig'
- 'java'
- 'lua'
- 'mshta'
- 'netsh'
- 'nslookup '
- 'perl'
- 'ping '
- 'powershell'
- 'pwsh'
- 'python'
- 'reg '
- 'reg.exe'
- 'regsvr32'
- 'ruby'
- 'rundll32'
- 'sc.exe'
- 'systeminfo'
- 'wget'
- 'whoami'
- 'wmic'
- 'wscript'
selection_specific_cmd:
Image|endswith: '\cmd.exe'
selection_specific_cli:
CommandLine|contains: '/d /s /c '
filter_main_default_shell_flag:
CommandLine|contains: '/d /s /c '
filter_main_cli_git:
CommandLine|contains: 'git config --local --get remote.origin.url'
filter_main_cli_netstat:
CommandLine|contains|all:
- 'netstat -ano | findstr /C:'
- ' | findstr LISTENING'
filter_main_cli_mkcert_install:
CommandLine|contains|all:
- '\mkcert\'
- ' -install '
filter_main_cli_mkcert_caroot:
CommandLine|contains|all:
- '\mkcert\'
- ' -CAROOT'
condition:
selection_parent and
(
1 of selection_generic_*
or
(selection_specific_cmd and not filter_main_default_shell_flag)
or
(all of selection_specific_* and not 1 of filter_main_cli_*)
)
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules-emerging-threats/2025/Exploits/CVE-2025-55182/proc_creation_win_exploit_cve_2025_55182_susp_nodejs_server_child_process/info.yml
Convert to SIEM query
high
Moderate
Medium FP
Windows Vulnerable Driver Blocklist Disabled
Detects when the Windows Vulnerable Driver Blocklist is set to disabled. This setting is crucial for preventing the loading of known vulnerable drivers,
and its modification may indicate an attempt to bypass security controls. It is often targeted by threat actors to facilitate the installation of malicious or vulnerable drivers,
particularly in scenarios involving Endpoint Detection and Response (EDR) bypass techniques.
This rule applies to systems that support the Vulnerable Driver Blocklist feature, including Windows 10 version 1903 and later, and Windows Server 2022 and later.
Note that this change will require a reboot to take effect, and this rule only detects the registry modification action.
view Sigma YAML
title: Windows Vulnerable Driver Blocklist Disabled
id: d526c60a-e236-4011-b165-831ffa52ab70
related:
- id: 22154f0e-5132-4a54-aa78-cc62f6def531
type: similar
status: experimental
description: |
Detects when the Windows Vulnerable Driver Blocklist is set to disabled. This setting is crucial for preventing the loading of known vulnerable drivers,
and its modification may indicate an attempt to bypass security controls. It is often targeted by threat actors to facilitate the installation of malicious or vulnerable drivers,
particularly in scenarios involving Endpoint Detection and Response (EDR) bypass techniques.
This rule applies to systems that support the Vulnerable Driver Blocklist feature, including Windows 10 version 1903 and later, and Windows Server 2022 and later.
Note that this change will require a reboot to take effect, and this rule only detects the registry modification action.
references:
- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules
- https://www.sophos.com/en-us/blog/sharpening-the-knife-gold-blades-strategic-evolution
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-26
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Control\CI\Config\VulnerableDriverBlocklistEnable'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unlikely and should be investigated immediately.
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_vulnerable_driver_blocklist_disable/info.yml
Convert to SIEM query
high
Moderate
Medium FP
Windows WebDAV User Agent
Detects WebDav DownloadCradle
view Sigma YAML
title: Windows WebDAV User Agent
id: e09aed7a-09e0-4c9a-90dd-f0d52507347e
status: test
description: Detects WebDav DownloadCradle
references:
- https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
author: Florian Roth (Nextron Systems)
date: 2018-04-06
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent|startswith: 'Microsoft-WebDAV-MiniRedir/'
cs-method: 'GET'
condition: selection
falsepositives:
- Administrative scripts that download files from the Internet
- Administrative scripts that retrieve certain website contents
- Legitimate WebDAV administration
level: high
Convert to SIEM query
high
Moderate
Medium FP
Windows Webshell Strings
Detects common commands used in Windows webshells
view Sigma YAML
title: Windows Webshell Strings
id: 7ff9db12-1b94-4a79-ba68-a2402c5d6729
status: test
description: Detects common commands used in Windows webshells
references:
- https://bad-jubies.github.io/RCE-NOW-WHAT/
- https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2017-02-19
modified: 2022-11-18
tags:
- attack.persistence
- attack.t1505.003
logsource:
category: webserver
detection:
selection_method:
cs-method: 'GET'
selection_keywords:
# The "%20" is URL encoded version of the space
# The "%2B" is URL encoded version of the "+"
- '=whoami'
- '=net%20user'
- '=net+user'
- '=net%2Buser'
- '=cmd%20/c%'
- '=cmd+/c+'
- '=cmd%2B/c%'
- '=cmd%20/r%'
- '=cmd+/r+'
- '=cmd%2B/r%'
- '=cmd%20/k%'
- '=cmd+/k+'
- '=cmd%2B/k%'
- '=powershell%'
- '=powershell+'
- '=tasklist%'
- '=tasklist+'
- '=wmic%'
- '=wmic+'
- '=ssh%'
- '=ssh+'
- '=python%'
- '=python+'
- '=python3%'
- '=python3+'
- '=ipconfig'
- '=wget%'
- '=wget+'
- '=curl%'
- '=curl+'
- '=certutil'
- '=copy%20%5C%5C'
- '=dsquery%'
- '=dsquery+'
- '=nltest%'
- '=nltest+'
condition: all of selection_*
falsepositives:
- Web sites like wikis with articles on os commands and pages that include the os commands in the URLs
- User searches in search boxes of the respective website
level: high
Convert to SIEM query
high
Moderate
Medium FP
Winlogon Notify Key Logon Persistence
Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.
Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.
view Sigma YAML
title: Winlogon Notify Key Logon Persistence
id: bbf59793-6efb-4fa1-95ca-a7d288e52c88
status: test
description: |
Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.
Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md#atomic-test-3---winlogon-notify-key-logon-persistence---powershell
author: frack113
date: 2021-12-30
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.004
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logon'
Details|endswith: '.dll'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Winrs Local Command Execution
Detects the execution of Winrs.exe where it is used to execute commands locally.
Commands executed this way are launched under Winrshost.exe and can represent proxy execution used for defense evasion or lateral movement.
view Sigma YAML
title: Winrs Local Command Execution
id: bcfece3d-56fe-4545-9931-3b8e92927db1
status: experimental
description: |
Detects the execution of Winrs.exe where it is used to execute commands locally.
Commands executed this way are launched under Winrshost.exe and can represent proxy execution used for defense evasion or lateral movement.
references:
- https://cardinalops.com/blog/living-off-winrm-abusing-complexity-in-remote-management/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/winrs
author: Liran Ravich, Nasreddine Bencherchali
date: 2025-10-22
tags:
- attack.lateral-movement
- attack.stealth
- attack.t1021.006
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
# Note: Example of command to simulate (winrm needs to be enabled): "c:\Windows\System32\winrs.exe" calc.exe
- Image|endswith: '\winrs.exe'
- OriginalFileName: 'winrs.exe'
selection_local_ip:
CommandLine|contains|windash:
- '/r:localhost'
- '/r:127.0.0.1'
- '/r:[::1]'
- '/remote:localhost'
- '/remote:127.0.0.1'
- '/remote:[::1]'
filter_main_remote:
CommandLine|contains|windash:
- "/r:"
- "/remote:"
condition: all of selection_* or (selection_img and not 1 of filter_main_*)
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Wmiprvse Wbemcomn DLL Hijack
Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
view Sigma YAML
title: Wmiprvse Wbemcomn DLL Hijack
id: 7707a579-e0d8-4886-a853-ce47e4575aaa
status: test
description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
references:
- https://threathunterplaybook.com/hunts/windows/201009-RemoteWMIWbemcomnDLLHijack/notebook.html
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-12
modified: 2022-10-09
tags:
- attack.execution
- attack.t1047
- attack.lateral-movement
- attack.t1021.002
logsource:
product: windows
category: image_load
detection:
selection:
Image|endswith: '\wmiprvse.exe'
ImageLoaded|endswith: '\wbem\wbemcomn.dll'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Wusa.EXE Executed By Parent Process Located In Suspicious Location
Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location.
Attackers could instantiate an instance of "wusa.exe" in order to bypass User Account Control (UAC). They can duplicate the access token from "wusa.exe" to gain elevated privileges.
view Sigma YAML
title: Wusa.EXE Executed By Parent Process Located In Suspicious Location
id: ef64fc9c-a45e-43cc-8fd8-7d75d73b4c99
status: test
description: |
Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location.
Attackers could instantiate an instance of "wusa.exe" in order to bypass User Account Control (UAC). They can duplicate the access token from "wusa.exe" to gain elevated privileges.
references:
- https://www.fortinet.com/blog/threat-research/konni-campaign-distributed-via-malicious-document
author: X__Junior (Nextron Systems)
date: 2023-11-26
modified: 2024-08-15
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith: '\wusa.exe'
selection_paths_1:
ParentImage|contains:
# Note: Add additional suspicious locations to increase coverage
- ':\Perflogs\'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\Appdata\Local\Temp\'
- '\Temporary Internet'
selection_paths_2:
- ParentImage|contains|all:
- ':\Users\'
- '\Favorites\'
- ParentImage|contains|all:
- ':\Users\'
- '\Favourites\'
- ParentImage|contains|all:
- ':\Users\'
- '\Contacts\'
- ParentImage|contains|all:
- ':\Users\'
- '\Pictures\'
filter_main_msu:
# Note: We exclude MSU extension files. A better approach is to baseline installation of updates in your env to avoid false negatives.
CommandLine|contains: '.msu'
condition: selection_img and 1 of selection_paths_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
High FP
Xwizard.EXE Execution From Non-Default Location
Detects the execution of Xwizard tool from a non-default directory.
When executed from a non-default directory, this utility can be abused in order to side load a custom version of "xwizards.dll".
view Sigma YAML
title: Xwizard.EXE Execution From Non-Default Location
id: 193d5ccd-6f59-40c6-b5b0-8e32d5ddd3d1
status: test
description: |
Detects the execution of Xwizard tool from a non-default directory.
When executed from a non-default directory, this utility can be abused in order to side load a custom version of "xwizards.dll".
references:
- https://lolbas-project.github.io/lolbas/Binaries/Xwizard/
- http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
author: Christian Burkard (Nextron Systems)
date: 2021-09-20
modified: 2024-08-15
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\xwizard.exe'
- OriginalFileName: 'xwizard.exe'
filter_main_legit_location:
Image|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Windows installed on non-C drive
level: high
Convert to SIEM query
high
Strong
Low FP
smbexec.py Service Installation
Detects the use of smbexec.py tool by detecting a specific service installation
view Sigma YAML
title: smbexec.py Service Installation
id: 52a85084-6989-40c3-8f32-091e12e13f09
status: test
description: Detects the use of smbexec.py tool by detecting a specific service installation
references:
- https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/
- https://github.com/fortra/impacket/blob/33058eb2fde6976ea62e04bc7d6b629d64d44712/examples/smbexec.py#L286-L296
- https://github.com/fortra/impacket/blob/edef71f17bc1240f9f8c957bbda98662951ac3ec/examples/smbexec.py#L60 # Old service name
author: Omer Faruk Celik
date: 2018-03-20
modified: 2023-11-09
tags:
- attack.lateral-movement
- attack.execution
- attack.t1021.002
- attack.t1569.002
logsource:
product: windows
service: system
detection:
selection_eid:
Provider_Name: 'Service Control Manager'
EventID: 7045
selection_service_name:
ServiceName: 'BTOBTO'
selection_service_image:
ImagePath|contains:
- '.bat & del '
- '__output 2^>^&1 >'
condition: selection_eid and 1 of selection_service_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
Showing 1701-1715 of 1,715