Tool
SIEM
Sigma (generic) detection rules
1,715 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Expand any rule to see its raw YAML and convert it inline to native query syntax. Pick a platform above to browse every rule already rendered in that language.
◈
Detection rules
50 shown of 1,715
high
Exploit Framework User Agent
Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs
view Sigma YAML
title: Exploit Framework User Agent
id: fdd1bfb5-f60b-4a35-910e-f36ed3d0b32f
status: test
description: Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs
references:
- https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/
author: Florian Roth (Nextron Systems)
date: 2017-07-08
modified: 2025-01-18
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection:
c-useragent:
# Cobalt Strike https://www.cobaltstrike.com/help-malleable-c2
- 'Internet Explorer *'
- 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)' # https://bluescreenofjeff.com/2016-06-28-cobalt-strike-http-c2-redirectors-with-apache-mod_rewrite/
# Metasploit Framework - Analysis by Didier Stevens https://blog.didierstevens.com/2015/03/16/quickpost-metasploit-user-agent-strings/
- 'Mozilla/4.0 (compatible; Metasploit RSPEC)'
- 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'
- 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)' # old browser, rare, base-lining needed
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)' # old browser, rare, base-lining needed
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)' # old browser, rare, base-lining needed
- 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR={7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N'
- 'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)' # only use in proxy logs - not for detection in web server logs
- 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13'
- 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MAAU)' # Payloads
# Metasploit Update by Florian Roth 08.07.2017
- 'Mozilla/5.0'
- 'Mozilla/4.0 (compatible; SPIPE/1.0'
# - 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)' # too many false positives expected
# - 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko' # too many false positives expected
- 'Mozilla/5.0 (Windows NT 6.3; rv:39.0) Gecko/20100101 Firefox/35.0'
- 'Sametime Community Agent' # Unknown if prone to false positives - https://github.com/rapid7/metasploit-framework/blob/97095ab3113de2f046e64a64c461a1f888554401/modules/exploits/windows/http/steamcast_useragent.rb
- 'X-FORWARDED-FOR'
- 'DotDotPwn v2.1'
- 'SIPDROID'
- 'Mozilla/5.0 (Windows NT 10.0; Win32; x32; rv:60.0)' # CobaltStrike https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
# Empire
- 'Mozilla/6.0 (X11; Linux x86_64; rv:24.0) Gecko/20140205 Firefox/27.0 Iceweasel/25.3.0'
# Exploits
- '*wordpress hash grabber*'
- '*exploit*'
# Havoc
- 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36' # https://github.com/HavocFramework/Havoc/issues/519
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Exploitation Activity of CVE-2025-59287 - WSUS Deserialization
Detects cast exceptions in Windows Server Update Services (WSUS) application logs that highly indicate exploitation attempts of CVE-2025-59287, a deserialization vulnerability in WSUS.
view Sigma YAML
title: Exploitation Activity of CVE-2025-59287 - WSUS Deserialization
id: e5f66e87-7d6b-404f-92fe-7aa67814b5cd
status: experimental
description: |
Detects cast exceptions in Windows Server Update Services (WSUS) application logs that highly indicate exploitation attempts of CVE-2025-59287, a deserialization vulnerability in WSUS.
references:
- https://unit42.paloaltonetworks.com/cve-2025-59287/
- https://hawktrace.com/blog/CVE-2025-59287-UNAUTH
- https://github.com/0xBruno/WSUSploit.NET/tree/e239bce9d6b5f46a346e1e4c4d5e0a2a20d5c639
- https://www.huntress.com/blog/exploitation-of-windows-server-update-services-remote-code-execution-vulnerability
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-31
tags:
- attack.execution
- attack.initial-access
- attack.t1190
- attack.t1203
- cve.2025-59287
- detection.emerging-threats
logsource:
product: windows
service: application
detection:
selection:
Provider_Name: 'Windows Server Update Services'
EventID: 7053
Data|contains|all:
# Indicators of untrusted deserialization exploitation attempts
# https://github.com/pwntester/ysoserial.net/issues/114
- 'System.InvalidCastException'
- 'System.Windows.Data.ObjectDataProvider'
- 'Unable to cast object of type'
- 'System.Windows.Media.Brush'
condition: selection
falsepositives:
- Legitimate WSUS operations that may trigger similar error messages
level: high
Convert to SIEM query
high
Exploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process
Detects the creation of command-line interpreters (cmd.exe, powershell.exe) as child processes of Windows Server Update Services (WSUS) related process wsusservice.exe.
This behavior is a key indicator of exploitation for the critical remote code execution vulnerability such as CVE-2025-59287, where attackers spawn shells to conduct reconnaissance and further post-exploitation activities.
view Sigma YAML
title: Exploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process
id: 43259cc4-1b80-4931-bd98-baea01afc196
status: experimental
description: |
Detects the creation of command-line interpreters (cmd.exe, powershell.exe) as child processes of Windows Server Update Services (WSUS) related process wsusservice.exe.
This behavior is a key indicator of exploitation for the critical remote code execution vulnerability such as CVE-2025-59287, where attackers spawn shells to conduct reconnaissance and further post-exploitation activities.
references:
- https://unit42.paloaltonetworks.com/microsoft-cve-2025-59287/
- https://www.huntress.com/blog/exploitation-of-windows-server-update-services-remote-code-execution-vulnerability
- https://hawktrace.com/blog/CVE-2025-59287-UNAUTH
author: Huntress Labs, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-31
tags:
- attack.execution
- attack.initial-access
- attack.t1190
- attack.t1203
- cve.2025-59287
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_parent_wsusservice:
ParentImage|endswith: '\wsusservice.exe'
selection_parent_w3wp_wsuspool:
ParentImage|endswith: '\w3wp.exe'
ParentCommandLine|contains: 'WsusPool'
selection_child:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\powershell_ise.exe'
condition: 1 of selection_parent_* and selection_child
falsepositives:
- If this activity is expected, consider filtering based on specific command lines, user context (e.g., `nt authority\network service`), or parent process command lines to reduce noise.
level: high
Convert to SIEM query
high
Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC
Detects the execution of the commonly used ZeroLogon PoC executable.
view Sigma YAML
title: Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC
id: dcc6a01e-9471-44a0-a699-71ea96f8ed8b
status: test
description: Detects the execution of the commonly used ZeroLogon PoC executable.
references:
- https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/
- https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
author: '@Kostastsale, TheDFIRReport'
date: 2022-02-12
tags:
- attack.execution
- attack.lateral-movement
- attack.t1210
- cve.2020-1472
- detection.emerging-threats
logsource:
product: windows
category: process_creation
detection:
selection_main:
ParentImage|endswith: '\cmd.exe'
Image|endswith:
- '\cool.exe'
- '\zero.exe'
CommandLine|contains|all:
- 'Administrator'
- '-c'
selection_payloads_1:
CommandLine|contains|all:
- 'taskkill'
- '/f'
- '/im'
selection_payloads_2:
CommandLine|contains: 'powershell'
condition: selection_main and 1 of selection_payloads_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Exploitation Attempt Of CVE-2023-46214 Using Public POC Code
Detects exploitation attempt of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing using known public proof of concept code
view Sigma YAML
title: Exploitation Attempt Of CVE-2023-46214 Using Public POC Code
id: ba5268de-4dd4-4d5c-8a90-2b5e6dc1aff8
related:
- id: 04017cd5-621e-4ec4-a762-1f042fe3d3e5
type: derived
status: test
description: |
Detects exploitation attempt of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing using known public proof of concept code
references:
- https://github.com/nathan31337/Splunk-RCE-poc/
- https://blog.hrncirik.net/cve-2023-46214-analysis
- https://advisory.splunk.com/advisories/SVD-2023-1104
author: Lars B. P. Frydenskov(Trifork Security)
date: 2023-11-27
tags:
- attack.lateral-movement
- attack.t1210
- cve.2023-46214
- detection.emerging-threats
logsource:
category: webserver
detection:
selection_method_and_response:
cs-method: POST
sc-status:
- 200
- 302
selection_uri_upload:
cs-uri-stem|contains: '/splunkd/__upload/indexing/preview'
cs-uri-query|contains|all:
- 'NO_BINARY_CHECK=1'
- 'input.path=shell.xsl'
selection_uri_search:
cs-uri-stem|contains|all:
- '/api/search/jobs'
- '/results'
cs-uri-query|contains|all:
- '/opt/splunk/var/run/splunk/dispatch/'
- '/shell.xsl'
condition: selection_method_and_response and 1 of selection_uri_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Exploitation Indicator Of CVE-2022-42475
Detects exploitation indicators of CVE-2022-42475 a heap-based buffer overflow in sslvpnd.
view Sigma YAML
title: Exploitation Indicator Of CVE-2022-42475
id: 293ccb8c-bed8-4868-8296-bef30e303b7e
status: test
description: Detects exploitation indicators of CVE-2022-42475 a heap-based buffer overflow in sslvpnd.
references:
- https://www.fortiguard.com/psirt/FG-IR-22-398
- https://www.bleepingcomputer.com/news/security/fortinet-says-ssl-vpn-pre-auth-rce-bug-is-exploited-in-attacks/
- https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/
- https://community.fortinet.com/t5/FortiGate/Technical-Tip-Critical-vulnerability-Protect-against-heap-based/ta-p/239420
author: Nasreddine Bencherchali (Nextron Systems), Nilaa Maharjan, Douglasrose75
date: 2024-02-08
tags:
- attack.initial-access
- cve.2022-42475
- detection.emerging-threats
logsource:
product: fortios
service: sslvpnd
definition: 'Requirements: file creation events or equivalent must be collected from the FortiOS SSL-VPN appliance in order for this detection to function correctly'
detection:
keywords:
- '/data/etc/wxd.conf'
- '/data/lib/libgif.so'
- '/data/lib/libips.bak'
- '/data/lib/libiptcp.so'
- '/data/lib/libipudp.so'
- '/data/lib/libjepg.so'
- '/var/.sslvpnconfigbk'
condition: keywords
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Exploitation Indicators Of CVE-2023-20198
Detecting exploitation indicators of CVE-2023-20198 a privilege escalation vulnerability in Cisco IOS XE Software Web UI.
view Sigma YAML
title: Exploitation Indicators Of CVE-2023-20198
id: 2ece8816-b7a0-4d9b-b0e8-ae7ad18bc02b
status: test
description: Detecting exploitation indicators of CVE-2023-20198 a privilege escalation vulnerability in Cisco IOS XE Software Web UI.
references:
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
- https://www.thestack.technology/security-experts-call-for-incident-response-exercises-after-mass-cisco-device-exploitation/
author: Lars B. P. Frydenskov (Trifork Security)
date: 2023-10-20
tags:
- attack.privilege-escalation
- attack.initial-access
- detection.emerging-threats
logsource:
product: cisco
service: syslog
definition: 'Requirements: Cisco IOS XE system logs needs to be configured and ingested'
detection:
keyword_event:
- '%WEBUI-6-INSTALL_OPERATION_INFO:'
- '%SYS-5-CONFIG_P:'
- '%SEC_LOGIN-5-WEBLOGIN_SUCCESS:'
keyword_user:
- 'cisco_tac_admin'
- 'cisco_support'
- 'cisco_sys_manager'
condition: keyword_event and keyword_user
falsepositives:
- Rare false positives might occur if there are valid users named "cisco_tac_admin" or "cisco_support", which are not created by default or CISCO representatives
level: high
Convert to SIEM query
high
Exploitation of CVE-2021-26814 in Wazuh
Detects the exploitation of the Wazuh RCE vulnerability described in CVE-2021-26814
view Sigma YAML
title: Exploitation of CVE-2021-26814 in Wazuh
id: b9888738-29ed-4c54-96a4-f38c57b84bb3
status: test
description: Detects the exploitation of the Wazuh RCE vulnerability described in CVE-2021-26814
references:
- https://github.com/WickdDavid/CVE-2021-26814/blob/6a17355a10ec4db771d0f112cbe031e418d829d5/PoC.py
author: Florian Roth (Nextron Systems)
date: 2021-05-22
modified: 2023-01-02
tags:
- attack.initial-access
- attack.t1190
- cve.2021-21978
- cve.2021-26814
- detection.emerging-threats
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains: '/manager/files?path=etc/lists/../../../../..'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Exploited CVE-2020-10189 Zoho ManageEngine
Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189
view Sigma YAML
title: Exploited CVE-2020-10189 Zoho ManageEngine
id: 846b866e-2a57-46ee-8e16-85fa92759be7
status: test
description: Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189
references:
- https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
- https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224
author: Florian Roth (Nextron Systems)
date: 2020-03-25
modified: 2023-01-21
tags:
- attack.initial-access
- attack.t1190
- attack.execution
- attack.t1059.001
- attack.t1059.003
- attack.s0190
- cve.2020-10189
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: 'DesktopCentral_Server\jre\bin\java.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\bitsadmin.exe'
- '\systeminfo.exe'
- '\net.exe'
- '\net1.exe'
- '\reg.exe'
- '\query.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Exploiting SetupComplete.cmd CVE-2019-1378
Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378
view Sigma YAML
title: Exploiting SetupComplete.cmd CVE-2019-1378
id: 1c373b6d-76ce-4553-997d-8c1da9a6b5f5
status: test
description: Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378
references:
- https://web.archive.org/web/20200530031708/https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua
author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro
date: 2019-11-15
modified: 2021-11-27
tags:
- attack.persistence
- attack.privilege-escalation
- attack.stealth
- attack.t1068
- attack.execution
- attack.t1059.003
- attack.t1574
- cve.2019-1378
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentCommandLine|contains|all:
- '\cmd.exe'
- '/c'
- 'C:\Windows\Setup\Scripts\'
ParentCommandLine|endswith:
- 'SetupComplete.cmd'
- 'PartnerSetupComplete.cmd'
filter:
Image|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
- 'C:\Windows\Setup\'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Explorer NOUACCHECK Flag
Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks
view Sigma YAML
title: Explorer NOUACCHECK Flag
id: 534f2ef7-e8a2-4433-816d-c91bccde289b
status: test
description: Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks
references:
- https://twitter.com/ORCA6665/status/1496478087244095491
author: Florian Roth (Nextron Systems)
date: 2022-02-23
modified: 2022-04-21
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\explorer.exe'
CommandLine|contains: '/NOUACCHECK'
filter_dc_logon:
- ParentCommandLine: 'C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule'
- ParentImage: 'C:\Windows\System32\svchost.exe' # coarse filter needed for ID 4688 Events
condition: selection and not 1 of filter_*
falsepositives:
- Domain Controller User Logon
- Unknown how many legitimate software products use that method
level: high
Convert to SIEM query
high
Exports Critical Registry Keys To a File
Detects the export of a crital Registry key to a file.
view Sigma YAML
title: Exports Critical Registry Keys To a File
id: 82880171-b475-4201-b811-e9c826cd5eaa
related:
- id: f0e53e89-8d22-46ea-9db5-9d4796ee2f8a
type: similar
status: test
description: Detects the export of a crital Registry key to a file.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Regedit/
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
author: Oddvar Moe, Sander Wiebing, oscd.community
date: 2020-10-12
modified: 2024-03-13
tags:
- attack.exfiltration
- attack.discovery
- attack.t1012
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\regedit.exe'
- OriginalFileName: 'REGEDIT.EXE'
selection_cli_1:
CommandLine|contains|windash: ' -E '
selection_cli_2:
CommandLine|contains:
- 'hklm'
- 'hkey_local_machine'
selection_cli_3:
CommandLine|endswith:
- '\system'
- '\sam'
- '\security'
condition: all of selection_*
falsepositives:
- Dumping hives for legitimate purpouse i.e. backup or forensic investigation
level: high
Convert to SIEM query
high
Exports Registry Key To an Alternate Data Stream
Exports the target Registry key and hides it in the specified alternate data stream.
view Sigma YAML
title: Exports Registry Key To an Alternate Data Stream
id: 0d7a9363-af70-4e7b-a3b7-1a176b7fbe84
status: test
description: Exports the target Registry key and hides it in the specified alternate data stream.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Regedit/
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
author: Oddvar Moe, Sander Wiebing, oscd.community
date: 2020-10-07
modified: 2021-11-27
tags:
- attack.stealth
- attack.t1564.004
logsource:
product: windows
category: create_stream_hash
detection:
selection:
Image|endswith: '\regedit.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
External Remote SMB Logon from Public IP
Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.
view Sigma YAML
title: External Remote SMB Logon from Public IP
id: 78d5cab4-557e-454f-9fb9-a222bd0d5edc
related:
- id: 259a9cdf-c4dd-4fa2-b243-2269e5ab18a2
type: derived
status: test
description: Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.
references:
- https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html
- https://twitter.com/Purp1eW0lf/status/1616144561965002752
author: Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity)
date: 2023-01-19
modified: 2024-03-11
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.credential-access
- attack.stealth
- attack.t1133
- attack.t1078
- attack.t1110
logsource:
product: windows
service: security
detection:
selection:
EventID: 4624
LogonType: 3
filter_main_local_ranges:
IpAddress|cidr:
- '::1/128' # IPv6 loopback
- '10.0.0.0/8'
- '127.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- 'fc00::/7' # IPv6 private addresses
- 'fe80::/10' # IPv6 link-local addresses
filter_main_empty:
IpAddress: '-'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate or intentional inbound connections from public IP addresses on the SMB port.
level: high
Convert to SIEM query
high
Failed MSExchange Transport Agent Installation
Detects a failed installation of a Exchange Transport Agent
view Sigma YAML
title: Failed MSExchange Transport Agent Installation
id: c7d16cae-aaf3-42e5-9c1c-fb8553faa6fa
status: test
description: Detects a failed installation of a Exchange Transport Agent
references:
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=8
author: Tobias Michalski (Nextron Systems)
date: 2021-06-08
modified: 2022-07-12
tags:
- attack.persistence
- attack.t1505.002
logsource:
service: msexchange-management
product: windows
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
selection:
EventID: 6
Data|contains: 'Install-TransportAgent'
condition: selection
falsepositives:
- Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this.
level: high
Convert to SIEM query
high
FakeUpdates/SocGholish Activity
Detects initial execution of FakeUpdates/SocGholish malware via wscript that later executes commands via cmd or powershell.
view Sigma YAML
title: FakeUpdates/SocGholish Activity
id: 97805087-93ab-4203-b5cb-287cda6aecaa
status: test
description: Detects initial execution of FakeUpdates/SocGholish malware via wscript that later executes commands via cmd or powershell.
references:
- https://twitter.com/th3_protoCOL/status/1536788652889497600
- https://twitter.com/1ZRR4H/status/1537501582727778304
author: '@kostastsale'
date: 2022-06-16
modified: 2024-08-23
tags:
- attack.execution
- attack.t1059.001
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\wscript.exe'
ParentCommandLine|contains|all:
- '\AppData\Local\Temp'
- '.zip'
- 'update'
- '.js'
ParentCommandLine|contains:
- 'Chrome'
- 'Edge'
- 'Firefox'
- 'Opera'
- 'Brave' # Not seen in campaigns
- 'Vivaldi' # Not seen in campaigns
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Fax Service DLL Search Order Hijack
The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.
view Sigma YAML
title: Fax Service DLL Search Order Hijack
id: 828af599-4c53-4ed2-ba4a-a9f835c434ea
status: test
description: The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.
references:
- https://windows-internals.com/faxing-your-way-to-system/
author: NVISO
date: 2020-05-04
modified: 2022-06-02
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\fxssvc.exe'
ImageLoaded|endswith: 'ualapi.dll'
filter:
ImageLoaded|startswith: 'C:\Windows\WinSxS\'
condition: selection and not filter
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
File Creation In Suspicious Directory By Msdt.EXE
Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities
view Sigma YAML
title: File Creation In Suspicious Directory By Msdt.EXE
id: 318557a5-150c-4c8d-b70e-a9910e199857
status: test
description: Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities
references:
- https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd
- https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
author: Vadim Varganov, Florian Roth (Nextron Systems)
date: 2022-08-24
modified: 2023-02-23
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
- cve.2022-30190
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith: '\msdt.exe'
TargetFilename|contains:
- '\Desktop\'
- '\Start Menu\Programs\Startup\'
- 'C:\PerfLogs\'
- 'C:\ProgramData\'
- 'C:\Users\Public\'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
File Creation Related To RAT Clients
File .conf created related to VenomRAT, AsyncRAT and Lummac samples observed in the wild.
view Sigma YAML
title: File Creation Related To RAT Clients
id: 2f3039c8-e8fe-43a9-b5cf-dcd424a2522d
status: experimental
description: |
File .conf created related to VenomRAT, AsyncRAT and Lummac samples observed in the wild.
references:
- https://www.virustotal.com/gui/file/c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
- https://www.virustotal.com/gui/file/e96a0c1bc5f720d7f0a53f72e5bb424163c943c24a437b1065957a79f5872675
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2024-12-19
tags:
- attack.execution
- detection.emerging-threats
logsource:
category: file_event
product: windows
detection:
# VT Query: behaviour_files:"\\AppData\\Roaming\\DataLogs\\DataLogs.conf"
# VT Query: behaviour_files:"DataLogs.conf" or behaviour_files:"hvnc.conf" or behaviour_files:"dcrat.conf"
selection_required:
TargetFilename|contains: '\AppData\Roaming\'
selection_variants:
TargetFilename|contains:
- '\mydata\'
- '\datalogs\'
- '\hvnc\'
- '\dcrat\'
TargetFilename|endswith:
- '\datalogs.conf'
- '\hvnc.conf'
- '\dcrat.conf'
condition: all of selection_*
falsepositives:
- Legitimate software creating a file with the same name
level: high
Convert to SIEM query
high
File Decoded From Base64/Hex Via Certutil.EXE
Detects the execution of certutil with either the "decode" or "decodehex" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution
view Sigma YAML
title: File Decoded From Base64/Hex Via Certutil.EXE
id: cc9cbe82-7bc0-4ef5-bc23-bbfb83947be7
status: test
description: Detects the execution of certutil with either the "decode" or "decodehex" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
- https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
- https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/
- https://twitter.com/JohnLaTwC/status/835149808817991680
- https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil
- https://lolbas-project.github.io/lolbas/Binaries/Certutil/
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
date: 2023-02-15
modified: 2025-06-04
tags:
- attack.stealth
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\certutil.exe'
- OriginalFileName: 'CertUtil.exe'
selection_cli:
CommandLine|contains|windash:
- '-decode ' # Decode Base64
- '-decodehex ' # Decode Hex
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_decode/info.yml
Convert to SIEM query
high
File Download And Execution Via IEExec.EXE
Detects execution of the IEExec utility to download and execute files
view Sigma YAML
title: File Download And Execution Via IEExec.EXE
id: 9801abb8-e297-4dbf-9fbd-57dde0e830ad
status: test
description: Detects execution of the IEExec utility to download and execute files
references:
- https://lolbas-project.github.io/lolbas/Binaries/Ieexec/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-05-16
modified: 2023-11-09
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\IEExec.exe'
- OriginalFileName: 'IEExec.exe'
selection_cli:
CommandLine|contains:
- 'http://'
- 'https://'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
File Download From IP Based URL Via CertOC.EXE
Detects when a user downloads a file from an IP based URL using CertOC.exe
view Sigma YAML
title: File Download From IP Based URL Via CertOC.EXE
id: b86f6dea-0b2f-41f5-bdcc-a057bd19cd6a
related:
- id: 70ad0861-d1fe-491c-a45f-fa48148a300d
type: similar
status: test
description: Detects when a user downloads a file from an IP based URL using CertOC.exe
references:
- https://lolbas-project.github.io/lolbas/Binaries/Certoc/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-10-18
tags:
- attack.command-and-control
- attack.execution
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\certoc.exe'
- OriginalFileName: 'CertOC.exe'
selection_ip:
CommandLine|re: '://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
selection_cli:
CommandLine|contains: '-GetCACAPS'
condition: all of selection*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
File Download Using Notepad++ GUP Utility
Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.
view Sigma YAML
title: File Download Using Notepad++ GUP Utility
id: 44143844-0631-49ab-97a0-96387d6b2d7c
status: test
description: Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.
references:
- https://twitter.com/nas_bench/status/1535322182863179776
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-10
modified: 2023-03-02
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\GUP.exe'
- OriginalFileName: 'gup.exe'
selection_cli:
CommandLine|contains|all:
- ' -unzipTo '
- 'http'
filter:
ParentImage|endswith: '\notepad++.exe'
condition: all of selection* and not filter
falsepositives:
- Other parent processes other than notepad++ using GUP that are not currently identified
level: high
Convert to SIEM query
high
File Download Via Bitsadmin To A Suspicious Target Folder
Detects usage of bitsadmin downloading a file to a suspicious target folder
view Sigma YAML
title: File Download Via Bitsadmin To A Suspicious Target Folder
id: 2ddef153-167b-4e89-86b6-757a9e65dcac
related:
- id: 6e30c82f-a9f8-4aab-b79c-7c12bce6f248
type: obsolete
- id: 1cf465a1-2609-4c15-9b66-c32dbe4bfd67
type: similar
status: test
description: Detects usage of bitsadmin downloading a file to a suspicious target folder
references:
- https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
- https://isc.sans.edu/diary/22264
- https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
- https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-28
modified: 2025-12-10
tags:
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1197
- attack.s0190
- attack.t1036.003
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\bitsadmin.exe'
- OriginalFileName: 'bitsadmin.exe'
selection_flags:
CommandLine|contains:
- ' /transfer '
- ' /create '
- ' /addfile '
selection_folder:
CommandLine|contains:
- ':\Perflogs'
- ':\ProgramData\'
- ':\Temp\'
- ':\Users\Public\'
- ':\Windows\'
- '\$Recycle.Bin\'
- '\AppData\Local\'
- '\AppData\Roaming\'
- '\Contacts\'
- '\Desktop\'
- '\Favorites\'
- '\Favourites\'
- '\inetpub\wwwroot\'
- '\Music\'
- '\Pictures\'
- '\Start Menu\Programs\Startup\'
- '\Users\Default\'
- '\Videos\'
- '%ProgramData%'
- '%public%'
- '%temp%'
- '%tmp%'
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder/info.yml
simulation:
- type: atomic-red-team
name: Windows - BITSAdmin BITS Download
technique: T1105
atomic_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b
Convert to SIEM query
high
File Download Via Windows Defender MpCmpRun.EXE
Detects the use of Windows Defender MpCmdRun.EXE to download files
view Sigma YAML
title: File Download Via Windows Defender MpCmpRun.EXE
id: 46123129-1024-423e-9fae-43af4a0fa9a5
status: test
description: Detects the use of Windows Defender MpCmdRun.EXE to download files
references:
- https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866
- https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/
author: Matthew Matchen
date: 2020-09-04
modified: 2023-11-09
tags:
- attack.stealth
- attack.t1218
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'MpCmdRun.exe'
- Image|endswith: '\MpCmdRun.exe'
- CommandLine|contains: 'MpCmdRun.exe'
- Description: 'Microsoft Malware Protection Command Line Utility'
selection_cli:
CommandLine|contains|all:
- 'DownloadFile'
- 'url'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
File Download with Headless Browser
Detects execution of chromium based browser in headless mode using the "dump-dom" command line to download files
view Sigma YAML
title: File Download with Headless Browser
id: 0e8cfe08-02c9-4815-a2f8-0d157b7ed33e
related:
- id: ef9dcfed-690c-4c5d-a9d1-482cd422225c
type: derived
status: test
description: Detects execution of chromium based browser in headless mode using the "dump-dom" command line to download files
references:
- https://twitter.com/mrd0x/status/1478234484881436672?s=12
- https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html
author: Sreeman, Florian Roth (Nextron Systems)
date: 2022-01-04
modified: 2025-10-07
tags:
- attack.command-and-control
- attack.stealth
- attack.t1105
- attack.t1564.003
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\brave.exe'
- '\chrome.exe'
- '\msedge.exe'
- '\opera.exe'
- '\vivaldi.exe'
CommandLine|contains|all:
- '--headless'
- 'dump-dom'
- 'http'
filter_optional_edge_1:
Image|startswith:
- 'C:\Program Files (x86)\Microsoft\Edge\Application\'
- 'C:\Program Files (x86)\Microsoft\EdgeCore\'
- 'C:\Program Files (x86)\Microsoft\EdgeWebView\'
- 'C:\Program Files\Microsoft\Edge\Application\'
- 'C:\Program Files\Microsoft\EdgeCore\'
- 'C:\Program Files\Microsoft\EdgeWebView\'
- 'C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge'
Image|endswith:
- '\msedge.exe'
- '\msedgewebview2.exe'
- '\MicrosoftEdge.exe'
CommandLine|contains: '--headless --disable-gpu --disable-extensions --disable-plugins --mute-audio --no-first-run --incognito --aggressive-cache-discard --dump-dom'
filter_optional_edge_2:
Image|contains:
- '\AppData\Local\Microsoft\WindowsApps\'
- '\Windows\SystemApps\Microsoft.MicrosoftEdge'
Image|endswith:
- '\msedge.exe'
- '\MicrosoftEdge.exe'
CommandLine|contains: '--headless --disable-gpu --disable-extensions --disable-plugins --mute-audio --no-first-run --incognito --aggressive-cache-discard --dump-dom'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download/info.yml
Convert to SIEM query
high
File Encryption/Decryption Via Gpg4win From Suspicious Locations
Detects usage of Gpg4win to encrypt/decrypt files located in potentially suspicious locations.
view Sigma YAML
title: File Encryption/Decryption Via Gpg4win From Suspicious Locations
id: e1e0b7d7-e10b-4ee4-ac49-a4bda05d320d
status: test
description: Detects usage of Gpg4win to encrypt/decrypt files located in potentially suspicious locations.
references:
- https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html
- https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/
author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
date: 2022-11-30
modified: 2023-08-09
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_metadata:
- Image|endswith:
- '\gpg.exe'
- '\gpg2.exe'
- Product: 'GNU Privacy Guard (GnuPG)'
- Description: 'GnuPG’s OpenPGP tool'
selection_cli:
CommandLine|contains: '-passphrase'
selection_paths:
CommandLine|contains:
- ':\PerfLogs\'
- ':\Temp\'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\AppData\Local\Temp\'
- '\AppData\Roaming\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell
Detects the initial execution of "cmd.exe" which spawns "explorer.exe" with the appropriate command line arguments for opening the "My Computer" folder.
view Sigma YAML
title: File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell
id: c3d76afc-93df-461e-8e67-9b2bad3f2ac4
status: test
description: |
Detects the initial execution of "cmd.exe" which spawns "explorer.exe" with the appropriate command line arguments for opening the "My Computer" folder.
author: '@Kostastsale'
references:
- https://ss64.com/nt/shell.html
date: 2022-12-22
modified: 2024-08-23
tags:
- attack.discovery
- attack.t1135
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
Image|endswith: '\explorer.exe'
CommandLine|contains: 'shell:mycomputerfolder'
condition: selection
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_explorer_folder_shortcut_via_shell_binary/info.yml
Convert to SIEM query
high
File In Suspicious Location Encoded To Base64 Via Certutil.EXE
Detects the execution of certutil with the "encode" flag to encode a file to base64 where the files are located in potentially suspicious locations
view Sigma YAML
title: File In Suspicious Location Encoded To Base64 Via Certutil.EXE
id: 82a6714f-4899-4f16-9c1e-9a333544d4c3
related:
- id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a
type: derived
status: test
description: Detects the execution of certutil with the "encode" flag to encode a file to base64 where the files are located in potentially suspicious locations
references:
- https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior
- https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior
- https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior
- https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-15
modified: 2024-03-05
tags:
- attack.stealth
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\certutil.exe'
- OriginalFileName: 'CertUtil.exe'
selection_cli:
CommandLine|contains|windash: '-encode'
selection_extension:
CommandLine|contains:
# Note: Add more suspicious locations to increase coverage
- '\AppData\Roaming\'
- '\Desktop\'
- '\Local\Temp\'
- '\PerfLogs\'
- '\Users\Public\'
- '\Windows\Temp\'
- '$Recycle.Bin'
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location/info.yml
Convert to SIEM query
high
File With Suspicious Extension Downloaded Via Bitsadmin
Detects usage of bitsadmin downloading a file with a suspicious extension
view Sigma YAML
title: File With Suspicious Extension Downloaded Via Bitsadmin
id: 5b80a791-ad9b-4b75-bcc1-ad4e1e89c200
status: test
description: Detects usage of bitsadmin downloading a file with a suspicious extension
references:
- https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
- https://isc.sans.edu/diary/22264
- https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-28
modified: 2023-05-30
tags:
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1197
- attack.s0190
- attack.t1036.003
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\bitsadmin.exe'
- OriginalFileName: 'bitsadmin.exe'
selection_flags:
CommandLine|contains:
- ' /transfer '
- ' /create '
- ' /addfile '
selection_extension:
CommandLine|contains:
- '.7z'
- '.asax'
- '.ashx'
- '.asmx'
- '.asp'
- '.aspx'
- '.bat'
- '.cfm'
- '.cgi'
- '.chm'
- '.cmd'
- '.dll'
- '.gif'
- '.jpeg'
- '.jpg'
- '.jsp'
- '.jspx'
- '.log'
- '.png'
- '.ps1'
- '.psm1'
- '.rar'
- '.scf'
- '.sct'
- '.txt'
- '.vbe'
- '.vbs'
- '.war'
- '.wsf'
- '.wsh'
- '.xll'
- '.zip'
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_extensions/info.yml
simulation:
- type: atomic-red-team
name: Windows - BITSAdmin BITS Download
technique: T1105
atomic_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b
Convert to SIEM query
high
File With Uncommon Extension Created By An Office Application
Detects the creation of files with an executable or script extension by an Office application.
view Sigma YAML
title: File With Uncommon Extension Created By An Office Application
id: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
status: test
description: Detects the creation of files with an executable or script extension by an Office application.
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems)
date: 2021-08-23
modified: 2025-10-17
tags:
- attack.t1204.002
- attack.execution
logsource:
product: windows
category: file_event
detection:
# Note: Please add more file extensions to the logic of your choice.
selection1:
Image|endswith:
- '\excel.exe'
- '\msaccess.exe'
- '\mspub.exe'
- '\powerpnt.exe'
- '\visio.exe'
- '\winword.exe'
selection2:
TargetFilename|endswith:
- '.bat'
- '.cmd'
- '.com'
- '.dll'
- '.exe'
- '.hta'
- '.ocx'
- '.proj'
- '.ps1'
- '.scf'
- '.scr'
- '.sys'
- '.vbe'
- '.vbs'
- '.wsf'
- '.wsh'
filter_main_localassembly:
TargetFilename|contains: '\AppData\Local\assembly\tmp\'
TargetFilename|endswith: '.dll'
filter_optional_webservicecache: # matches e.g. directory with name *.microsoft.com
TargetFilename|contains|all:
- 'C:\Users\'
- '\AppData\Local\Microsoft\Office\'
- '\WebServiceCache\AllUsers'
TargetFilename|endswith: '.com'
filter_optional_webex:
Image|endswith: '\winword.exe'
TargetFilename|contains: '\AppData\Local\Temp\webexdelta\'
TargetFilename|endswith:
- '.dll'
- '.exe'
filter_optional_backstageinappnavcache: # matches e.g. C:\Users\xxxxx\AppData\Local\Microsoft\Office\16.0\BackstageInAppNavCache\[email protected]
TargetFilename|contains|all:
- 'C:\Users\'
- '\AppData\Local\Microsoft\Office\'
- '\BackstageInAppNavCache\'
TargetFilename|endswith: '.com'
condition: all of selection* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
FileFix - Command Evidence in TypedPaths
Detects commonly-used chained commands and strings in the most recent 'url' value of the 'TypedPaths' key, which could be indicative of a user being targeted by the FileFix technique.
view Sigma YAML
title: FileFix - Command Evidence in TypedPaths
id: 4fee3d51-8069-4a4c-a0f7-924fcaff2c70
related:
- id: 4be03877-d5b6-4520-85c9-a5911c0a656c
type: similar
status: experimental
description: |
Detects commonly-used chained commands and strings in the most recent 'url' value of the 'TypedPaths' key, which could be indicative of a user being targeted by the FileFix technique.
references:
- https://x.com/russianpanda9xx/status/1940831134759506029
- https://mrd0x.com/filefix-clickfix-alternative/
- https://www.scpx.com.au/2025/11/16/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/
author: Alfie Champion (delivr.to), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-05
modified: 2025-11-19
tags:
- attack.execution
- attack.t1204.004
logsource:
category: registry_set
product: windows
detection:
selection_base:
TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths\url1'
Details|contains|all:
- '#'
- 'http'
selection_cmd:
- Details|contains:
# Add more suspicious keywords
- 'account'
- 'anti-bot'
- 'botcheck'
- 'captcha'
- 'challenge'
- 'confirmation'
- 'fraud'
- 'human'
- 'identification'
- 'identificator'
- 'identity'
- 'robot'
- 'validation'
- 'verification'
- 'verify'
- Details|contains:
- '%comspec%'
- 'bitsadmin'
- 'certutil'
- 'cmd'
- 'cscript'
- 'curl'
- 'finger'
- 'mshta'
- 'powershell'
- 'pwsh'
- 'regsvr32'
- 'rundll32'
- 'schtasks'
- 'wget'
- 'wscript'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Findstr GPP Passwords
Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.
view Sigma YAML
title: Findstr GPP Passwords
id: 91a2c315-9ee6-4052-a853-6f6a8238f90d
status: test
description: Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.006/T1552.006.md#atomic-test-1---gpp-passwords-findstr
author: frack113
date: 2021-12-27
modified: 2023-11-11
tags:
- attack.credential-access
- attack.t1552.006
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\find.exe'
- '\findstr.exe'
- OriginalFileName:
- 'FIND.EXE'
- 'FINDSTR.EXE'
selection_cli:
CommandLine|contains|all:
- 'cpassword'
- '\sysvol\'
- '.xml'
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords/info.yml
simulation:
- type: atomic-red-team
name: GPP Passwords (findstr)
technique: T1552.006
atomic_guid: 870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f
Convert to SIEM query
high
Finger.EXE Execution
Detects execution of the "finger.exe" utility.
Finger.EXE or "TCPIP Finger Command" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon.
Due to the old nature of this utility and the rareness of machines having the finger service. Any execution of "finger.exe" can be considered "suspicious" and worth investigating.
view Sigma YAML
title: Finger.EXE Execution
id: af491bca-e752-4b44-9c86-df5680533dbc
related:
- id: c082c2b0-525b-4dbc-9a26-a57dc4692074
type: similar
- id: 2fdaf50b-9fd5-449f-ba69-f17248119af6
type: similar
status: test
description: |
Detects execution of the "finger.exe" utility.
Finger.EXE or "TCPIP Finger Command" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon.
Due to the old nature of this utility and the rareness of machines having the finger service. Any execution of "finger.exe" can be considered "suspicious" and worth investigating.
references:
- https://twitter.com/bigmacjpg/status/1349727699863011328?s=12
- https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/
- http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt
author: Florian Roth (Nextron Systems), omkar72, oscd.community
date: 2021-02-24
modified: 2024-06-27
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection:
- OriginalFileName: 'finger.exe'
- Image|endswith: '\finger.exe'
condition: selection
falsepositives:
- Admin activity (unclear what they do nowadays with finger.exe)
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_finger_execution/info.yml
Convert to SIEM query
high
Fireball Archer Install
Detects Archer malware invocation via rundll32
view Sigma YAML
title: Fireball Archer Install
id: 3d4aebe0-6d29-45b2-a8a4-3dfde586a26d
status: test
description: Detects Archer malware invocation via rundll32
references:
- https://www.virustotal.com/en/file/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022/analysis/
- https://www.hybrid-analysis.com/sample/9b4971349ae85aa09c0a69852ed3e626c954954a3927b3d1b6646f139b930022?environmentId=100
author: Florian Roth (Nextron Systems)
date: 2017-06-03
modified: 2021-11-27
tags:
- attack.execution
- attack.stealth
- attack.t1218.011
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'rundll32.exe'
- 'InstallArcherSvc'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
First Time Seen Remote Named Pipe
This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
view Sigma YAML
title: First Time Seen Remote Named Pipe
id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad
status: test
description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
references:
- https://twitter.com/menasec1/status/1104489274387451904
author: Samir Bousseaden
date: 2019-04-03
modified: 2023-03-14
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
product: windows
service: security
definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
selection1:
EventID: 5145
ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
false_positives:
RelativeTargetName:
- 'atsvc'
- 'samr'
- 'lsarpc'
- 'lsass'
- 'winreg'
- 'netlogon'
- 'srvsvc'
- 'protected_storage'
- 'wkssvc'
- 'browser'
- 'netdfs'
- 'svcctl'
- 'spoolss'
- 'ntsvcs'
- 'LSM_API_service'
- 'HydraLsPipe'
- 'TermSrv_API_service'
- 'MsFteWds'
- 'sql\query'
- 'eventlog'
condition: selection1 and not false_positives
falsepositives:
- Update the excluded named pipe to filter out any newly observed legit named pipe
level: high
Convert to SIEM query
high
First Time Seen Remote Named Pipe - Zeek
This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
view Sigma YAML
title: First Time Seen Remote Named Pipe - Zeek
id: 021310d9-30a6-480a-84b7-eaa69aeb92bb
related:
- id: 52d8b0c6-53d6-439a-9e41-52ad442ad9ad
type: derived
status: test
description: This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
references:
- https://twitter.com/menasec1/status/1104489274387451904
author: Samir Bousseaden, @neu5ron, Tim Shelton
date: 2020-04-02
modified: 2022-12-27
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
product: zeek
service: smb_files
detection:
selection:
path: '\\\\\*\\IPC$' # Looking for the string \\*\IPC$
filter_keywords:
- 'samr'
- 'lsarpc'
- 'winreg'
- 'netlogon'
- 'srvsvc'
- 'protected_storage'
- 'wkssvc'
- 'browser'
- 'netdfs'
- 'svcctl'
- 'spoolss'
- 'ntsvcs'
- 'LSM_API_service'
- 'HydraLsPipe'
- 'TermSrv_API_service'
- 'MsFteWds'
condition: selection and not 1 of filter_*
falsepositives:
- Update the excluded named pipe to filter out any newly observed legit named pipe
level: high
Convert to SIEM query
high
Flash Player Update from Suspicious Location
Detects a flashplayer update from an unofficial location
view Sigma YAML
title: Flash Player Update from Suspicious Location
id: 4922a5dd-6743-4fc2-8e81-144374280997
status: test
description: Detects a flashplayer update from an unofficial location
references:
- https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb
author: Florian Roth (Nextron Systems)
date: 2017-10-25
modified: 2022-08-08
tags:
- attack.initial-access
- attack.stealth
- attack.t1189
- attack.execution
- attack.t1204.002
- attack.t1036.005
logsource:
category: proxy
detection:
selection:
- c-uri|contains: '/flash_install.php'
- c-uri|endswith: '/install_flash_player.exe'
filter:
cs-host|endswith: '.adobe.com'
condition: selection and not filter
falsepositives:
- Unknown flash download locations
level: high
Convert to SIEM query
high
Folder Removed From Exploit Guard ProtectedFolders List - Registry
Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder
view Sigma YAML
title: Folder Removed From Exploit Guard ProtectedFolders List - Registry
id: 272e55a4-9e6b-4211-acb6-78f51f0b1b40
status: test
description: Detects the removal of folders from the "ProtectedFolders" list of of exploit guard. This could indicate an attacker trying to launch an encryption process or trying to manipulate data inside of the protected folder
references:
- https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-05
modified: 2023-02-08
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: registry_delete
product: windows
detection:
selection:
EventType: DeleteValue
TargetObject|contains: 'SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders'
condition: selection
falsepositives:
- Legitimate administrators removing applications (should always be investigated)
level: high
Convert to SIEM query
high
Forest Blizzard APT - Custom Protocol Handler Creation
Detects the setting of a custom protocol handler with the name "rogue".
Seen being created by Forest Blizzard APT as reported by MSFT.
view Sigma YAML
title: Forest Blizzard APT - Custom Protocol Handler Creation
id: 5cdeb555-65de-4767-99fe-e26807465148
status: test
description: |
Detects the setting of a custom protocol handler with the name "rogue".
Seen being created by Forest Blizzard APT as reported by MSFT.
references:
- https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-04-23
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
- detection.emerging-threats
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\PROTOCOLS\\Handler\rogue\CLSID'
Details: '{026CC6D7-34B2-33D5-B551-CA31EB6CE345}'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Forest Blizzard APT - Custom Protocol Handler DLL Registry Set
Detects the setting of the DLL that handles the custom protocol handler.
Seen being created by Forest Blizzard APT as reported by MSFT.
view Sigma YAML
title: Forest Blizzard APT - Custom Protocol Handler DLL Registry Set
id: d807056b-0e00-4cec-b7f8-b8b7518e382b
status: test
description: |
Detects the setting of the DLL that handles the custom protocol handler.
Seen being created by Forest Blizzard APT as reported by MSFT.
references:
- https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-04-23
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
- detection.emerging-threats
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\CLSID\{026CC6D7-34B2-33D5-B551-CA31EB6CE345}\Server'
Details|endswith: '.dll'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Forest Blizzard APT - File Creation Activity
Detects the creation of specific files inside of ProgramData directory.
These files were seen being created by Forest Blizzard as described by MSFT.
view Sigma YAML
title: Forest Blizzard APT - File Creation Activity
id: b92d1d19-f5c9-4ed6-bbd5-7476709dc389
status: test
description: |
Detects the creation of specific files inside of ProgramData directory.
These files were seen being created by Forest Blizzard as described by MSFT.
references:
- https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-04-23
modified: 2024-07-11
tags:
- attack.defense-impairment
- attack.t1685.001
- detection.emerging-threats
logsource:
category: file_event
product: windows
detection:
selection_programdata_driver_store:
TargetFilename|startswith:
- 'C:\ProgramData\Microsoft\v'
- 'C:\ProgramData\Adobe\v'
- 'C:\ProgramData\Comms\v'
- 'C:\ProgramData\Intel\v'
- 'C:\ProgramData\Kaspersky Lab\v'
- 'C:\ProgramData\Bitdefender\v'
- 'C:\ProgramData\ESET\v'
- 'C:\ProgramData\NVIDIA\v'
- 'C:\ProgramData\UbiSoft\v'
- 'C:\ProgramData\Steam\v'
TargetFilename|contains:
- '\prnms003.inf_'
- '\prnms009.inf_'
selection_programdata_main:
TargetFilename|startswith: 'C:\ProgramData\'
selection_programdata_files_1:
TargetFilename|endswith:
- '.save'
- '\doit.bat'
- '\execute.bat'
- '\servtask.bat'
# Hashes|contains: '7d51e5cc51c43da5deae5fbc2dce9b85c0656c465bb25ab6bd063a503c1806a9' # Uncommon this if you collect hash information inf file events
selection_programdata_files_2:
TargetFilename|contains: '\wayzgoose'
TargetFilename|endswith: '.dll'
condition: selection_programdata_driver_store or (selection_programdata_main and 1 of selection_programdata_files_*)
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Forest Blizzard APT - Process Creation Activity
Detects the execution of specific processes and command line combination.
These were seen being created by Forest Blizzard as described by MSFT.
view Sigma YAML
title: Forest Blizzard APT - Process Creation Activity
id: 07db928c-8632-488e-ac7d-3db847489175
status: experimental
description: |
Detects the execution of specific processes and command line combination.
These were seen being created by Forest Blizzard as described by MSFT.
references:
- https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-04-23
modified: 2025-01-22
tags:
- attack.execution
- detection.emerging-threats
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection_hashes:
Hashes|contains:
- 'SHA256=6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f'
- 'SHA256=c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5'
selection_schtasks_create:
Image|endswith: '\schtasks.exe'
CommandLine|contains|all:
- 'Create'
- '/RU'
- 'SYSTEM'
- '\Microsoft\Windows\WinSrv'
CommandLine|contains:
- 'servtask.bat'
- 'execute.bat'
- 'doit.bat'
selection_schtasks_delete:
Image|endswith: '\schtasks.exe'
CommandLine|contains|all:
- 'Delete'
- '/F '
- '\Microsoft\Windows\WinSrv'
selection_powershell:
CommandLine|contains|all:
- 'Get-ChildItem'
- '.save'
- 'Compress-Archive -DestinationPath C:\ProgramData\'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Forfiles.EXE Child Process Masquerading
Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory.
view Sigma YAML
title: Forfiles.EXE Child Process Masquerading
id: f53714ec-5077-420e-ad20-907ff9bb2958
status: test
description: |
Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory.
references:
- https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/
author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati
date: 2024-01-05
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection:
# Notes:
# - The parent must not have CLI options
# - The Child Image must be named "cmd" as its hardcoded in the "forfiles" binary
# - The Child CLI will always contains "/c echo" as its hardcoded in the original "forfiles" binary
ParentCommandLine|endswith:
- '.exe'
- '.exe"'
Image|endswith: '\cmd.exe'
CommandLine|startswith: '/c echo "'
filter_main_parent_not_sys:
ParentImage|contains:
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
ParentImage|endswith: '\forfiles.exe'
Image|contains:
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
Image|endswith: '\cmd.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Formbook Process Creation
Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.
view Sigma YAML
title: Formbook Process Creation
id: 032f5fb3-d959-41a5-9263-4173c802dc2b
status: test
description: Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.
references:
- https://inquest.net/blog/2018/06/22/a-look-at-formbook-stealer
- https://app.any.run/tasks/388d5802-aa48-4826-b069-250420504758/
- https://app.any.run/tasks/8e22486b-5edc-4cef-821c-373e945f296c/
- https://app.any.run/tasks/62bb01ae-25a4-4180-b278-8e464a90b8d7/
author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro
date: 2019-09-30
modified: 2022-10-06
tags:
- attack.resource-development
- attack.t1587.001
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection1:
# Parent command line should not contain a space value
# This avoids false positives not caused by process injection
# e.g. wscript.exe /B sysmon-install.vbs
ParentCommandLine|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
ParentCommandLine|endswith: '.exe'
selection2:
- CommandLine|contains|all:
- '/c'
- 'del'
- 'C:\Users\'
- '\AppData\Local\Temp\'
- CommandLine|contains|all:
- '/c'
- 'del'
- 'C:\Users\'
- '\Desktop\'
- CommandLine|contains|all:
- '/C'
- 'type nul >'
- 'C:\Users\'
- '\Desktop\'
selection3:
CommandLine|endswith: '.exe'
condition: all of selection*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Fsutil Suspicious Invocation
Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).
Might be used by ransomwares during the attack (seen by NotPetya and others).
view Sigma YAML
title: Fsutil Suspicious Invocation
id: add64136-62e5-48ea-807e-88638d02df1e
status: stable
description: |
Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc).
Might be used by ransomwares during the attack (seen by NotPetya and others).
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md
- https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html
- https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md
- https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt
author: Ecco, E.M. Anhaus, oscd.community
date: 2019-09-26
modified: 2023-09-09
tags:
- attack.impact
- attack.stealth
- attack.t1070
- attack.t1485
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\fsutil.exe'
- OriginalFileName: 'fsutil.exe'
selection_cli:
CommandLine|contains:
- 'deletejournal' # usn deletejournal ==> generally ransomware or attacker
- 'createjournal' # usn createjournal ==> can modify config to set it to a tiny size
- 'setZeroData' # file setZeroData ==> empties a file with zeroes
condition: all of selection_*
falsepositives:
- Admin activity
- Scripts and administrative tools used in the monitored environment
level: high
Convert to SIEM query
high
FunkLocker Ransomware File Creation
Detects the creation of files with the ".funksec" extension, which is appended to encrypted files by the FunkLocker ransomware.
view Sigma YAML
title: FunkLocker Ransomware File Creation
id: 2c76a22b-702d-48fd-8fa9-e41e2fe203b3
status: experimental
description: Detects the creation of files with the ".funksec" extension, which is appended to encrypted files by the FunkLocker ransomware.
references:
- https://www.broadcom.com/support/security-center/protection-bulletin/funksec-ransomware
- https://www.pcrisk.com/removal-guides/31853-funklocker-funksec-ransomware
author: Saiprashanth Pulisetti ( @Prashanthblogs)
date: 2025-08-08
tags:
- attack.impact
- attack.t1486
- detection.emerging-threats
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith: '.funksec'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
GAC DLL Loaded Via Office Applications
Detects any GAC DLL being loaded by an Office Product
view Sigma YAML
title: GAC DLL Loaded Via Office Applications
id: 90217a70-13fc-48e4-b3db-0d836c5824ac
status: test
description: Detects any GAC DLL being loaded by an Office Product
references:
- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: Antonlovesdnb
date: 2020-02-19
modified: 2023-02-10
tags:
- attack.execution
- attack.t1204.002
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith:
- '\excel.exe'
- '\mspub.exe'
- '\onenote.exe'
- '\onenoteim.exe' # Just in case
- '\outlook.exe'
- '\powerpnt.exe'
- '\winword.exe'
ImageLoaded|startswith: 'C:\Windows\Microsoft.NET\assembly\GAC_MSIL'
condition: selection
falsepositives:
- Legitimate macro usage. Add the appropriate filter according to your environment
level: high
Convert to SIEM query
high
GALLIUM Artefacts - Builtin
Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.
view Sigma YAML
title: GALLIUM Artefacts - Builtin
id: 3db10f25-2527-4b79-8d4b-471eb900ee29
related:
- id: 440a56bf-7873-4439-940a-1c8a671073c2
type: derived
status: test
description: Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.
references:
- https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)
author: Tim Burrell
date: 2020-02-07
modified: 2023-01-02
tags:
- attack.credential-access
- attack.command-and-control
- attack.t1071
- detection.emerging-threats
logsource:
product: windows
service: dns-server-analytic
definition: 'Requirements: Microsoft-Windows-DNS-Server/Analytical ({EB79061A-A566-4698-9119-3ED2807060E7}) Event Log must be collected in order to receive the events.'
detection:
selection:
EventID: 257
QNAME:
- 'asyspy256.ddns.net'
- 'hotkillmail9sddcc.ddns.net'
- 'rosaf112.ddns.net'
- 'cvdfhjh1231.myftp.biz'
- 'sz2016rose.ddns.net'
- 'dffwescwer4325.myftp.biz'
- 'cvdfhjh1231.ddns.net'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
GALLIUM IOCs
Detects artifacts associated with GALLIUM cyber espionage group as reported by Microsoft Threat Intelligence Center in the December 2019 report.
view Sigma YAML
title: GALLIUM IOCs
id: 440a56bf-7873-4439-940a-1c8a671073c2
status: test
description: Detects artifacts associated with GALLIUM cyber espionage group as reported by Microsoft Threat Intelligence Center in the December 2019 report.
references:
- https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
- https://github.com/Azure/Azure-Sentinel/blob/a02ce85c96f162de6f8cc06f07a53b6525f0ff7f/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/GalliumIOCs.yaml
author: Tim Burrell
date: 2020-02-07
modified: 2024-11-23
tags:
- attack.credential-access
- attack.command-and-control
- attack.t1212
- attack.t1071
- attack.g0093
- detection.emerging-threats
logsource:
product: windows
category: process_creation
detection:
selection:
Hashes|contains:
- 'SHA256=9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd'
- 'SHA256=7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b'
- 'SHA256=657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5'
- 'SHA256=2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29'
- 'SHA256=52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77'
- 'SHA256=a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3'
- 'SHA256=5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022'
- 'SHA256=6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883'
- 'SHA256=3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e'
- 'SHA256=1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7'
- 'SHA256=fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1'
- 'SHA256=7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c'
- 'SHA256=178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945'
- 'SHA256=51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9'
- 'SHA256=889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79'
- 'SHA256=332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf'
- 'SHA256=44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08'
- 'SHA256=63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef'
- 'SHA256=056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070'
- 'SHA1=53a44c2396d15c3a03723fa5e5db54cafd527635'
- 'SHA1=9c5e496921e3bc882dc40694f1dcc3746a75db19'
- 'SHA1=aeb573accfd95758550cf30bf04f389a92922844'
- 'SHA1=79ef78a797403a4ed1a616c68e07fff868a8650a'
- 'SHA1=4f6f38b4cec35e895d91c052b1f5a83d665c2196'
- 'SHA1=1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d'
- 'SHA1=e841a63e47361a572db9a7334af459ddca11347a'
- 'SHA1=c28f606df28a9bc8df75a4d5e5837fc5522dd34d'
- 'SHA1=2e94b305d6812a9f96e6781c888e48c7fb157b6b'
- 'SHA1=dd44133716b8a241957b912fa6a02efde3ce3025'
- 'SHA1=8793bf166cb89eb55f0593404e4e933ab605e803'
- 'SHA1=a39b57032dbb2335499a51e13470a7cd5d86b138'
- 'SHA1=41cc2b15c662bc001c0eb92f6cc222934f0beeea'
- 'SHA1=d209430d6af54792371174e70e27dd11d3def7a7'
- 'SHA1=1c6452026c56efd2c94cea7e0f671eb55515edb0'
- 'SHA1=c6b41d3afdcdcaf9f442bbe772f5da871801fd5a'
- 'SHA1=4923d460e22fbbf165bbbaba168e5a46b8157d9f'
- 'SHA1=f201504bd96e81d0d350c3a8332593ee1c9e09de'
- 'SHA1=ddd2db1127632a2a52943a2fe516a2e7d05d70d2'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
Showing 301-350 of 1,715