Tool
SIEM
Sigma (generic) detection rules
1,492 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Expand any rule to see its raw YAML and convert it inline to native query syntax. Pick a platform above to browse every rule already rendered in that language.
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
◈
Detection rules
50 shown of 1,492
medium
Clfs.SYS Loaded By Process Located In a Potential Suspicious Location
Detects Clfs.sys being loaded by a process running from a potentially suspicious location. Clfs.sys is loaded as part of many CVEs exploits that targets Common Log File.
view Sigma YAML
title: Clfs.SYS Loaded By Process Located In a Potential Suspicious Location
id: fb4e2211-6d08-426b-8e6f-0d4a161e3b1d
status: experimental
description: Detects Clfs.sys being loaded by a process running from a potentially suspicious location. Clfs.sys is loaded as part of many CVEs exploits that targets Common Log File.
references:
- https://ssd-disclosure.com/ssd-advisory-common-log-file-system-clfs-driver-pe/
- https://x.com/Threatlabz/status/1879956781360976155
author: X__Junior
date: 2025-01-20
tags:
- attack.execution
- attack.t1059
logsource:
category: image_load
product: windows
detection:
selection_dll:
ImageLoaded|endswith: '\clfs.sys'
selection_folders_1:
Image|contains:
- ':\Perflogs\'
- ':\Users\Public\'
- '\Temporary Internet'
- '\Windows\Temp\'
selection_folders_2:
- Image|contains|all:
- ':\Users\'
- '\Favorites\'
- Image|contains|all:
- ':\Users\'
- '\Favourites\'
- Image|contains|all:
- ':\Users\'
- '\Contacts\'
- Image|contains|all:
- ':\Users\'
- '\Pictures\'
condition: selection_dll and 1 of selection_folders_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
ClickOnce Deployment Execution - Dfsvc.EXE Child Process
Detects child processes of "dfsvc" which indicates a ClickOnce deployment execution.
view Sigma YAML
title: ClickOnce Deployment Execution - Dfsvc.EXE Child Process
id: 241d52b5-eee0-49d0-ac8a-8b9c15c7221c
status: test
description: Detects child processes of "dfsvc" which indicates a ClickOnce deployment execution.
references:
- https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-12
tags:
- attack.execution
- detection.threat-hunting
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\dfsvc.exe'
Image|endswith: '\AppData\Local\Apps\2.0\'
condition: selection
falsepositives:
- False positives are expected in environement leveraging ClickOnce deployments. An initial baselining is required before using this rule in production.
level: medium
Convert to SIEM query
medium
ClickOnce Trust Prompt Tampering
Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet.
view Sigma YAML
title: ClickOnce Trust Prompt Tampering
id: ac9159cc-c364-4304-8f0a-d63fc1a0aabb
status: test
description: Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet.
references:
- https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
- https://learn.microsoft.com/en-us/visualstudio/deployment/how-to-configure-the-clickonce-trust-prompt-behavior
author: '@SerkinValery, Nasreddine Bencherchali (Nextron Systems)'
date: 2023-06-12
modified: 2023-08-17
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\SOFTWARE\MICROSOFT\.NETFramework\Security\TrustManager\PromptingLevel\'
TargetObject|endswith:
- '\Internet'
- '\LocalIntranet'
- '\MyComputer'
- '\TrustedSites'
- '\UntrustedSites'
Details: 'Enabled'
condition: selection
falsepositives:
- Legitimate internal requirements.
level: medium
Convert to SIEM query
medium
Clipboard Access Via OSAScript
Detects access to clipboard content via osascript, which may be used for data collection but also occurs in legitimate clipboard utilities and automation scripts
view Sigma YAML
title: Clipboard Access Via OSAScript
id: 7794fa3c-edea-4cff-bec7-267dd4770fd7
related:
- id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55
type: derived
status: test
description: Detects access to clipboard content via osascript, which may be used for data collection but also occurs in legitimate clipboard utilities and automation scripts
references:
- https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/
author: Sohan G (D4rkCiph3r)
date: 2023-01-31
modified: 2026-05-22
tags:
- attack.collection
- attack.execution
- attack.t1115
- attack.t1059.002
logsource:
product: macos
category: process_creation
detection:
selection:
Image|endswith: '/osascript'
CommandLine|contains|all:
- ' -e '
- 'clipboard'
filter_optional_opencode:
# OpenCode uses osascript to handle copying text from the TUI on MacOS devices. See https://github.com/anomalyco/opencode/blob/ca723f1cbc6fc4244ae57e61e9de8c4e37380ed4/packages/opencode/src/cli/cmd/tui/util/clipboard.ts#L65 for reference.
ParentImage|endswith: 'opencode'
CommandLine|contains|all:
- 'osascript'
- ' -e '
- 'set imageData to the clipboard'
- 'set fileRef'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Legitimate clipboard utilities and automation scripts that read or write clipboard content
- Developer tools and IDEs that use osascript for clipboard integration
level: medium
Convert to SIEM query
medium
Clipboard Data Collection Via Pbpaste
Detects execution of the "pbpaste" utility, which retrieves the contents of the clipboard (a.k.a. pasteboard) and writes them to the standard output (stdout).
The utility is often used for creating new files with the clipboard content or for piping clipboard contents to other commands.
It can also be used in shell scripts that may require clipboard content as input.
Attackers can abuse this utility in order to collect data from the user clipboard, which may contain passwords or sensitive information.
Use this rule to hunt for potential abuse of the utility by looking at the parent process and any potentially suspicious command line content.
view Sigma YAML
title: Clipboard Data Collection Via Pbpaste
id: d8af0da1-2959-40f9-a3e4-37a6aa1228b7
status: test
description: |
Detects execution of the "pbpaste" utility, which retrieves the contents of the clipboard (a.k.a. pasteboard) and writes them to the standard output (stdout).
The utility is often used for creating new files with the clipboard content or for piping clipboard contents to other commands.
It can also be used in shell scripts that may require clipboard content as input.
Attackers can abuse this utility in order to collect data from the user clipboard, which may contain passwords or sensitive information.
Use this rule to hunt for potential abuse of the utility by looking at the parent process and any potentially suspicious command line content.
references:
- https://www.loobins.io/binaries/pbpaste/
- https://medium.com/@NullByteWht/hacking-macos-how-to-dump-1password-keepassx-lastpass-passwords-in-plaintext-723c5b1c311b
- https://media.defense.gov/2021/Jul/19/2002805003/-1/-1/1/CSA_CHINESE_STATE-SPONSORED_CYBER_TTPS.PDF
author: Daniel Cortez
date: 2024-07-30
tags:
- attack.collection
- attack.credential-access
- attack.t1115
- detection.threat-hunting
logsource:
product: macos
category: process_creation
detection:
selection:
Image|endswith: '/pbpaste'
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Cloudflared Portable Execution
Detects the execution of the "cloudflared" binary from a non standard location.
view Sigma YAML
title: Cloudflared Portable Execution
id: fadb84f0-4e84-4f6d-a1ce-9ef2bffb6ccd
status: test
description: |
Detects the execution of the "cloudflared" binary from a non standard location.
references:
- https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/
- https://github.com/cloudflare/cloudflared
- https://www.intrinsec.com/akira_ransomware/
- https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/
- https://github.com/cloudflare/cloudflared/releases
author: Nasreddine Bencherchali (Nextron Systems)
tags:
- attack.command-and-control
- attack.t1090.001
date: 2023-12-20
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\cloudflared.exe'
filter_main_admin_location:
Image|contains:
- ':\Program Files (x86)\cloudflared\'
- ':\Program Files\cloudflared\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate usage of Cloudflared portable versions
level: medium
Convert to SIEM query
medium
Cloudflared Quick Tunnel Execution
Detects creation of an ad-hoc Cloudflare Quick Tunnel, which can be used to tunnel local services such as HTTP, RDP, SSH and SMB.
The free TryCloudflare Quick Tunnel will generate a random subdomain on trycloudflare[.]com, following a call to api[.]trycloudflare[.]com.
The tool has been observed in use by threat groups including Akira ransomware.
view Sigma YAML
title: Cloudflared Quick Tunnel Execution
id: 222129f7-f4dc-4568-b0d2-22440a9639ba
related:
- id: 7050bba1-1aed-454e-8f73-3f46f09ce56a
type: similar
- id: 9a019ffc-3580-4c9d-8d87-079f7e8d3fd4
type: similar
status: test
description: |
Detects creation of an ad-hoc Cloudflare Quick Tunnel, which can be used to tunnel local services such as HTTP, RDP, SSH and SMB.
The free TryCloudflare Quick Tunnel will generate a random subdomain on trycloudflare[.]com, following a call to api[.]trycloudflare[.]com.
The tool has been observed in use by threat groups including Akira ransomware.
references:
- https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/do-more-with-tunnels/trycloudflare/
- https://github.com/cloudflare/cloudflared
- https://www.intrinsec.com/akira_ransomware/
- https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/
author: Sajid Nawaz Khan
tags:
- attack.command-and-control
- attack.t1090.001
date: 2023-12-20
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\cloudflared.exe'
- '\cloudflared-windows-386.exe'
- '\cloudflared-windows-amd64.exe'
- Hashes|contains:
- 'SHA256=2fb6c04c4f95fb8d158af94c137f90ac820716deaf88d8ebec956254e046cb29'
- 'SHA256=b3d21940a10fdef5e415ad70331ce257c24fe3bcf7722262302e0421791f87e8'
- 'SHA256=1fbd8362b2d2d2e6a5750ae3db69cd1815e6c1d31da48a98b796450971a8e039'
- 'SHA256=0409c9b12f9d0eda86e461ed9bdabeefb00172b26322079681a0bdf48e68dc28'
- 'SHA256=7cfb411d04bac42ef93d1f0c93c0a481e38c6f4612b97ae89d4702595988edc7'
- 'SHA256=5b3c2d846ab162dc6bc595cce3a49de5731afde5d6060be7066d21b013a28373'
- 'SHA256=ce95df7f69664c3df19b76028e115931919a71517b776da7b42d353e2ff4a670'
- 'SHA256=1293525a19cfe3bc8296b62fbfe19f083632ed644a1c18c10b045a1d3030d81a'
- 'SHA256=af2b9161cfcb654b16408cd6b098afe9d1fb61a037d18d7090a119d4c0c8e0f0'
- 'SHA256=39ddceb56a15798826a5fc4892fa2b474c444bb4d7a8bf2fa95e41cab10fa7a1'
- 'SHA256=ccd11f2328023a0e7929e845d5b6e7bc783fb4650d65faef3ae090239d4bbce2'
- 'SHA256=b6e5c5d2567ae8c69cc012ebcae30e6c9b5359d64a58d17ba75ec89f8bce71ac'
- 'SHA256=f813484ea441404f18caad96f28138e8aaf0cb256163c09c2ab8a3acab87f69f'
- 'SHA256=fc4a0802ab9c7409b892ca00636bec61e2acfc911bccfdeb9978b8ab5a2f828d'
- 'SHA256=083150724b49604c8765c1ba19541fa260b133be0acb0647fcd936d81f054499'
- 'SHA256=44303d6572956f28a0f2e4b188934fb9874f2584f5c81fa431a463cfbf28083b'
- 'SHA256=5d38c46032a58e28ae5f7d174d8761ec3d64d186677f3ec53af5f51afb9bfd2f'
- 'SHA256=e1e70fa42059911bc6685fafef957f9a73fc66f214d0704a9b932683a5204032'
- 'SHA256=c01356092a365b84f84f0e66870bd1a05ba3feb53cafd973fa5fea2534bee234'
- 'SHA256=b3f9c06151e30ee43d39e788a79cd918a314f24e04fe87f3de8272a2057b624f'
- 'SHA256=cd81b2792f0739f473c31c9cb7cf2313154bfa28b839975802b90e8790bb5058'
- 'SHA256=9ec7e6c8e1bfd883663d8d9d62c9e4f9ae373b731407181e32491b27a7218a2c'
- 'SHA256=c2cfd23fdc6c0e1b1ffa0e545cbe556f18d11b362b4a89ba0713f6ab01c4827f'
- 'SHA256=53f8adbd76c0eb16f5e43cadde422474d8a06f9c8f959389c1930042ad8beaa5'
- 'SHA256=648c8d2f8001c113d2986dd00b7bbd181593d462bef73522cee212c4f71f95b3'
- 'SHA256=ae047e2095e46c3f9c518b2be67ec753f4f0aad23b261a361fcb6144dcdb63b4'
- 'SHA256=3153d2baa462978dd22ab33d1c2274ecc88c200225d6a3327f98d5b752d08f5c'
- 'SHA256=f49cde976e628012c9db73e1c8d76081944ecf2297cdafeb78bb13290da274c4'
- 'SHA256=d2513e58bb03ccc83affde685c6ef987924c37ce6707d8e9857e2524b0d7e90f'
- 'SHA256=bb67c7623ba92fe64ffd9816b8d5b3b1ea3013960a30bd4cf6e295b3eb5b1bad'
- 'SHA256=b34b3c3a91e3165d1481f0b3ec23eab93a1cfba94345a6cbfe5b18ddbd48eac7'
- 'SHA256=f7848034e010d55f15e474ca998f96391e320ff29b00cfcc4c5e536529703e75'
- 'SHA256=b6fc9493778cbe3bfc062d73f5cc604bc0ff058bc5e5dc6aac87f3a4008b54b6'
- 'SHA256=f5c5e962577e2293c4ad10603816dce7cc273585969615fbf4e4bfa9eaff1688'
- 'SHA256=d14c52d9220b606f428a8fe9f7c108b0d6f14cf71e7384749e98e6a95962e68f'
- 'SHA256=d3a0e1a79158f3985cd49607ebe0cdfcc49cb9af96b8f43aefd0cdfe2f22e663'
- 'SHA256=2fbbfc8299537ff80cadf9d0e27c223fe0ccb9052bf9d8763ad717bbfa521c77'
- 'SHA256=19074674c6fbdaa573b3081745e5e26144fdf7a086d14e0e220d1814f1f13078'
# Note:
# Accounts for the cloudflared binaries being renamed
# `tunnel` is optional, but has been included to reduce the possibility of parameter collision when not observed with known binary names
selection_param:
- CommandLine|contains|all:
- '-url'
- 'tunnel'
- CommandLine|contains:
- '.exe -url'
- '.exe --url'
selection_other:
CommandLine|contains|all:
- '-url'
- '-no-autoupdate'
condition: (selection_img and selection_param) or selection_other
falsepositives:
- Legitimate usage of Cloudflare Quick Tunnel
level: medium
Convert to SIEM query
medium
Cloudflared Tunnel Connections Cleanup
Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections.
view Sigma YAML
title: Cloudflared Tunnel Connections Cleanup
id: 7050bba1-1aed-454e-8f73-3f46f09ce56a
status: test
description: Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections.
references:
- https://github.com/cloudflare/cloudflared
- https://developers.cloudflare.com/cloudflare-one/connections/connect-apps
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-17
modified: 2023-12-21
tags:
- attack.command-and-control
- attack.t1102
- attack.t1090
- attack.t1572
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- ' tunnel '
- 'cleanup '
CommandLine|contains:
- '-config '
- '-connector-id '
condition: selection
falsepositives:
- Legitimate usage of Cloudflared.
level: medium
Convert to SIEM query
medium
Cloudflared Tunnel Execution
Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.
view Sigma YAML
title: Cloudflared Tunnel Execution
id: 9a019ffc-3580-4c9d-8d87-079f7e8d3fd4
status: test
description: Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.
references:
- https://blog.reconinfosec.com/emergence-of-akira-ransomware-group
- https://github.com/cloudflare/cloudflared
- https://developers.cloudflare.com/cloudflare-one/connections/connect-apps
author: Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-17
modified: 2023-12-20
tags:
- attack.command-and-control
- attack.t1102
- attack.t1090
- attack.t1572
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- ' tunnel '
- ' run '
CommandLine|contains:
- '-config '
- '-credentials-contents '
- '-credentials-file '
- '-token '
condition: selection
falsepositives:
- Legitimate usage of Cloudflared tunnel.
level: medium
Convert to SIEM query
medium
Cloudflared Tunnels Related DNS Requests
Detects DNS requests to Cloudflared tunnels domains.
Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
view Sigma YAML
title: Cloudflared Tunnels Related DNS Requests
id: a1d9eec5-33b2-4177-8d24-27fe754d0812
related:
- id: 7cd1dcdc-6edf-4896-86dc-d1f19ad64903
type: similar
status: test
description: |
Detects DNS requests to Cloudflared tunnels domains.
Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
references:
- https://www.guidepointsecurity.com/blog/tunnel-vision-cloudflared-abused-in-the-wild/
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-12-20
tags:
- attack.command-and-control
- attack.t1071.001
- attack.t1572
logsource:
category: dns_query
product: windows
detection:
selection:
QueryName|endswith:
- '.v2.argotunnel.com'
- 'protocol-v2.argotunnel.com'
- 'trycloudflare.com'
- 'update.argotunnel.com'
condition: selection
falsepositives:
- Legitimate use of cloudflare tunnels will also trigger this.
level: medium
Convert to SIEM query
medium
Cmd Launched with Hidden Start Flags to Suspicious Targets
Detects cmd.exe executing commands with the "start" utility using "/b" (no window) or "/min" (minimized) flags.
To reduce false positives from standard background tasks, detection is restricted to scenarios where the target is a known script extension or located in suspicious temporary/public directories.
This technique was observed in Chaos, DarkSide, and Emotet malware campaigns.
view Sigma YAML
title: Cmd Launched with Hidden Start Flags to Suspicious Targets
id: 5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d
status: experimental
description: |
Detects cmd.exe executing commands with the "start" utility using "/b" (no window) or "/min" (minimized) flags.
To reduce false positives from standard background tasks, detection is restricted to scenarios where the target is a known script extension or located in suspicious temporary/public directories.
This technique was observed in Chaos, DarkSide, and Emotet malware campaigns.
references:
- https://www.fortinet.com/blog/threat-research/evolution-of-chaos-ransomware-faster-smarter-and-more-dangerous
- https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
- https://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/start
tags:
- attack.stealth
- attack.t1564.003
author: Vladan Sekulic, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-24
logsource:
category: process_creation
product: windows
detection:
selection_cmd_img:
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'Cmd.Exe'
selection_cmd_hidden_start_1:
CommandLine|contains|windash:
- 'start '
- 'start/b'
- 'start/min'
selection_cmd_hidden_start_2:
CommandLine|contains|windash:
- '/b '
- '/b"'
- '/min '
- '/min"'
selection_cli_uncommon_location:
CommandLine|contains:
- ':\Perflogs\'
- ':\Temp\'
- ':\Users\Default\'
- ':\Windows\Temp\'
- '\AppData\Roaming\'
- '\Contacts\'
- '\Documents\'
- '\Downloads\'
- '\Favorites\'
- '\Favourites\'
- '\inetpub\'
- '\Music\'
- '\Photos\'
- '\Temporary Internet\'
- '\Users\Public\'
- '\Videos\'
selection_cli_susp_extension:
CommandLine|contains:
- '.bat'
- '.cmd'
- '.cpl'
- '.hta'
- '.js'
- '.ps1'
- '.scr'
- '.vbe'
- '.vbs'
selection_cli_susp_pattern:
CommandLine|contains:
- ' -nop '
- ' -sta '
- '.downloadfile(' # PowerShell download command
- '.downloadstring(' # PowerShell download command
- '-noni '
- '-w hidden '
condition: all of selection_cmd_* and 1 of selection_cli_*
falsepositives:
- Legitimate administrative scripts running from temporary folders.
- Niche software updaters utilizing hidden batch files in ProgramData.
level: medium # Can be increased after an initial baseline and tuning
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cmd_launched_with_hidden_start_flag/info.yml
Convert to SIEM query
medium
Code Execution via Pcwutl.dll
Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.
view Sigma YAML
title: Code Execution via Pcwutl.dll
id: 9386d78a-7207-4048-9c9f-a93a7c2d1c05
status: test
description: Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.
references:
- https://lolbas-project.github.io/lolbas/Libraries/Pcwutl/
- https://twitter.com/harr0ey/status/989617817849876488
author: Julia Fomina, oscd.community
date: 2020-10-05
modified: 2023-02-09
tags:
- attack.stealth
- attack.t1218.011
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
selection_cli:
CommandLine|contains|all:
- 'pcwutl'
- 'LaunchApplication'
condition: all of selection_*
falsepositives:
- Use of Program Compatibility Troubleshooter Helper
level: medium
Convert to SIEM query
medium
CodePage Modification Via MODE.COM To Russian Language
Detects a CodePage modification using the "mode.com" utility to Russian language.
This behavior has been used by threat actors behind Dharma ransomware.
view Sigma YAML
title: CodePage Modification Via MODE.COM To Russian Language
id: 12fbff88-16b5-4b42-9754-cd001a789fb3
related:
- id: d48c5ffa-3b02-4c0f-9a9e-3c275650dd0e
type: derived
status: test
description: |
Detects a CodePage modification using the "mode.com" utility to Russian language.
This behavior has been used by threat actors behind Dharma ransomware.
references:
- https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/mode
- https://strontic.github.io/xcyclopedia/library/mode.com-59D1ED51ACB8C3D50F1306FD75F20E99.html
- https://www.virustotal.com/gui/file/5e75ef02517afd6e8ba6462b19217dc4a5a574abb33d10eb0f2bab49d8d48c22/behavior
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2024-01-17
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
# VT Query: behavior:"mode con cp select=1251"
# VT Query: behavior:"mode con cp select=866"
selection_img:
- Image|endswith: '\mode.com'
- OriginalFileName: 'MODE.COM'
selection_cli:
CommandLine|contains|all:
- ' con '
- ' cp '
- ' select='
CommandLine|endswith:
- '=1251' # ANSI Cyrillic; Cyrillic (Windows) - Observed ITW by Dharma ransomware
- '=866' # OEM Russian; Cyrillic (DOS) - Observed ITW by other malware
condition: all of selection_*
falsepositives:
- Russian speaking people changing the CodePage
level: medium
Convert to SIEM query
medium
Command Line Execution with Suspicious URL and AppData Strings
Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)
view Sigma YAML
title: Command Line Execution with Suspicious URL and AppData Strings
id: 1ac8666b-046f-4201-8aba-1951aaec03a3
status: test
description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)
references:
- https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100
- https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
date: 2019-01-16
modified: 2021-11-27
tags:
- attack.execution
- attack.command-and-control
- attack.t1059.003
- attack.t1059.001
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\cmd.exe'
CommandLine|contains|all:
- 'http' # captures both http and https
- '://'
- '%AppData%'
condition: selection
falsepositives:
- High
level: medium
Convert to SIEM query
medium
Common Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
view Sigma YAML
title: Common Autorun Keys Modification
id: f59c3faf-50f3-464b-9f4c-1b67ab512d99
related:
- id: 17f878b8-9968-4578-b814-c4217fc5768c
type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
- https://persistence-info.github.io/Data/userinitmprlogonscript.html # UserInitMprLogonScript
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name)
date: 2019-10-25
modified: 2025-10-22
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStart'
- '\Software\Wow6432Node\Microsoft\Command Processor\Autorun'
- '\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components'
- '\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnDisconnect'
- '\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnConnect'
- '\SYSTEM\Setup\CmdLine'
- '\Software\Microsoft\Ctf\LangBarAddin'
- '\Software\Microsoft\Command Processor\Autorun'
- '\SOFTWARE\Microsoft\Active Setup\Installed Components'
- '\SOFTWARE\Classes\Protocols\Handler'
- '\SOFTWARE\Classes\Protocols\Filter'
- '\SOFTWARE\Classes\Htmlfile\Shell\Open\Command\(Default)'
- '\Environment\UserInitMprLogonScript'
- '\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop\Scrnsave.exe'
- '\Software\Microsoft\Internet Explorer\UrlSearchHooks'
- '\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components'
- '\Software\Classes\Clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\Inprocserver32'
- '\Control Panel\Desktop\Scrnsave.exe'
filter_main_empty:
Details: '(Empty)'
filter_main_null:
Details: null
filter_main_poqexec:
Image: 'C:\Windows\System32\poqexec.exe'
filter_optional_msoffice:
- TargetObject|contains:
- '\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\PROTOCOLS\Handler\'
- '\ClickToRunStore\HKMU\SOFTWARE\Classes\PROTOCOLS\Handler\'
- Details:
- '{314111c7-a502-11d2-bbca-00c04f8ec294}'
- '{3459B272-CC19-4448-86C9-DDC3B4B2FAD3}'
- '{42089D2D-912D-4018-9087-2B87803E93FB}'
- '{5504BE45-A83B-4808-900A-3A5C36E7F77A}'
- '{807583E5-5146-11D5-A672-00B0D022E945}'
filter_optional_chrome:
TargetObject|contains: '\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}'
filter_optional_edge:
TargetObject|contains: '\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}'
filter_optional_IE:
TargetObject|contains: '\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}'
filter_optional_integrator:
Image:
- 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
- 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
filter_optional_office:
Image|startswith:
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
Image|endswith: '\OfficeClickToRun.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
level: medium
Convert to SIEM query
medium
Communication To Uncommon Destination Ports
Detects programs that connect to uncommon destination ports
view Sigma YAML
title: Communication To Uncommon Destination Ports
id: 6d8c3d20-a5e1-494f-8412-4571d716cf5c
related:
- id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382
type: similar
status: test
description: Detects programs that connect to uncommon destination ports
references:
- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
author: Florian Roth (Nextron Systems)
date: 2017-03-19
modified: 2024-03-12
tags:
- attack.persistence
- attack.command-and-control
- attack.t1571
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
DestinationPort:
- 8080
- 8888
filter_main_local_ranges:
DestinationIp|cidr:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
filter_optional_sys_directories:
Image|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788)
Detects a qlogin.exe command attempting to authenticate as the internal `_+_PublicSharingUser_` using a GUID as the password.
This could be an indicator of an attacker exploiting CVE-2025-57788 to gain initial access using leaked credentials.
view Sigma YAML
title: Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788)
id: 917789e1-2c1f-4bf5-8c91-6f71a017f469
status: experimental
description: |
Detects a qlogin.exe command attempting to authenticate as the internal `_+_PublicSharingUser_` using a GUID as the password.
This could be an indicator of an attacker exploiting CVE-2025-57788 to gain initial access using leaked credentials.
references:
- https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-20
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078.001
- detection.emerging-threats
- cve.2025-57788
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'qlogin'
- '_+_PublicSharingUser_'
# Detects the use of a GUID as the password, which is indicative of an exploit attempt
CommandLine|re: '[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12}'
condition: selection
falsepositives:
- Legitimate administrative scripts that use the `_+_PublicSharingUser_` account for valid purposes.
level: medium
Convert to SIEM query
medium
Compress Data and Lock With Password for Exfiltration With 7-ZIP
An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
view Sigma YAML
title: Compress Data and Lock With Password for Exfiltration With 7-ZIP
id: 9fbf5927-5261-4284-a71d-f681029ea574
status: test
description: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
author: frack113
date: 2021-07-27
modified: 2026-06-05
tags:
- attack.collection
- attack.t1560.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Description|contains: '7-Zip'
- Image|endswith:
- '\7z.exe'
- '\7zr.exe'
- '\7za.exe'
- OriginalFileName:
- '7z.exe'
- '7za.exe'
- '7zr.exe'
selection_password:
CommandLine|contains: ' -p'
selection_action:
CommandLine|contains:
- ' a '
- ' u '
condition: all of selection_*
falsepositives:
- Legitimate activity is expected since compressing files with a password is common.
level: medium
Convert to SIEM query
medium
Compress Data and Lock With Password for Exfiltration With WINZIP
An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
view Sigma YAML
title: Compress Data and Lock With Password for Exfiltration With WINZIP
id: e2e80da2-8c66-4e00-ae3c-2eebd29f6b6d
status: test
description: An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
author: frack113
date: 2021-07-27
modified: 2022-12-25
tags:
- attack.collection
- attack.t1560.001
logsource:
category: process_creation
product: windows
detection:
selection_winzip:
CommandLine|contains:
- 'winzip.exe'
- 'winzip64.exe'
selection_password:
CommandLine|contains: '-s"'
selection_other:
CommandLine|contains:
- ' -min '
- ' -a '
condition: all of selection*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Computer Discovery And Export Via Get-ADComputer Cmdlet
Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
view Sigma YAML
title: Computer Discovery And Export Via Get-ADComputer Cmdlet
id: 435e10e4-992a-4281-96f3-38b11106adde
related:
- id: db885529-903f-4c5d-9864-28fe199e6370
type: similar
status: test
description: Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
references:
- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
- https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
- https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-10
modified: 2022-11-17
tags:
- attack.discovery
- attack.t1033
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli:
CommandLine|contains|all:
- 'Get-ADComputer '
- ' -Filter \*'
CommandLine|contains:
- ' > '
- ' | Select '
- 'Out-File'
- 'Set-Content'
- 'Add-Content'
condition: all of selection_*
falsepositives:
- Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often
level: medium
Convert to SIEM query
medium
Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell
Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
view Sigma YAML
title: Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell
id: db885529-903f-4c5d-9864-28fe199e6370
related:
- id: 435e10e4-992a-4281-96f3-38b11106adde
type: similar
status: test
description: Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
references:
- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
- https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
- https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-17
tags:
- attack.discovery
- attack.t1033
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'Get-ADComputer '
- ' -Filter \*'
ScriptBlockText|contains:
- ' | Select '
- 'Out-File'
- 'Set-Content'
- 'Add-Content'
condition: selection
falsepositives:
- Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often
level: medium
Convert to SIEM query
medium
Computer Password Change Via Ksetup.EXE
Detects password change for the computer's domain account or host principal via "ksetup.exe"
view Sigma YAML
title: Computer Password Change Via Ksetup.EXE
id: de16d92c-c446-4d53-8938-10aeef41c8b6
status: test
description: Detects password change for the computer's domain account or host principal via "ksetup.exe"
references:
- https://twitter.com/Oddvarmoe/status/1641712700605513729
- https://learn.microsoft.com/en-gb/windows-server/administration/windows-commands/ksetup
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-06
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\ksetup.exe'
- OriginalFileName: 'ksetup.exe'
selection_cli:
CommandLine|contains: ' /setcomputerpassword '
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Computer System Reconnaissance Via Wmic.EXE
Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model, etc.
view Sigma YAML
title: Computer System Reconnaissance Via Wmic.EXE
id: 9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f
status: test
description: Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model, etc.
references:
- https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-08
modified: 2023-02-14
tags:
- attack.discovery
- attack.execution
- attack.t1047
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\wmic.exe'
- OriginalFileName: 'wmic.exe'
selection_cli:
CommandLine|contains: 'computersystem'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Conhost Spawned By Uncommon Parent Process
Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.
view Sigma YAML
title: Conhost Spawned By Uncommon Parent Process
id: cbb9e3d1-2386-4e59-912e-62f1484f7a89
status: test
description: Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.
references:
- https://www.elastic.co/guide/en/security/current/conhost-spawned-by-suspicious-parent-process.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-28
modified: 2025-03-06
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\conhost.exe'
ParentImage|endswith:
- '\explorer.exe'
# - '\csrss.exe' # Legitimate parent as seen in EchoTrail https://www.echotrail.io/insights/search/csrss.exe
# - '\ctfmon.exe' # Seen several times in a testing environment
# - '\dllhost.exe' # FP on clean system from grandparent 'svchost.exe -k DcomLaunch -p'
- '\lsass.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\services.exe'
- '\smss.exe'
- '\spoolsv.exe'
- '\svchost.exe'
- '\userinit.exe'
# - '\wermgr.exe' # Legitimate parent as seen in EchoTrail https://www.echotrail.io/insights/search/wermgr.exe
- '\wininit.exe'
- '\winlogon.exe'
filter_main_svchost:
ParentCommandLine|contains:
- '-k apphost -s AppHostSvc'
- '-k imgsvc'
- '-k localService -p -s RemoteRegistry'
- '-k LocalSystemNetworkRestricted -p -s NgcSvc'
- '-k NetSvcs -p -s NcaSvc'
- '-k netsvcs -p -s NetSetupSvc'
- '-k netsvcs -p -s wlidsvc'
- '-k NetworkService -p -s DoSvc'
- '-k wsappx -p -s AppXSvc'
- '-k wsappx -p -s ClipSVC'
- '-k wusvcs -p -s WaaSMedicSvc'
filter_optional_dropbox:
ParentCommandLine|contains:
- 'C:\Program Files (x86)\Dropbox\Client\'
- 'C:\Program Files\Dropbox\Client\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Console CodePage Lookup Via CHCP
Detects use of chcp to look up the system locale value as part of host discovery
view Sigma YAML
title: Console CodePage Lookup Via CHCP
id: 7090adee-82e2-4269-bd59-80691e7c6338
status: test
description: Detects use of chcp to look up the system locale value as part of host discovery
references:
- https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chcp
author: _pete_0, TheDFIRReport
date: 2022-02-21
modified: 2024-03-05
tags:
- attack.discovery
- attack.t1614.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\cmd.exe'
ParentCommandLine|contains|windash:
- ' -c '
- ' -r '
- ' -k '
Image|endswith: '\chcp.com'
CommandLine|endswith:
- 'chcp'
- 'chcp '
- 'chcp '
condition: selection
falsepositives:
- During Anaconda update the 'conda.exe' process will eventually execution the 'chcp' command.
- Discord was seen using chcp to look up code pages
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup/info.yml
Convert to SIEM query
medium
ConvertTo-SecureString Cmdlet Usage Via CommandLine
Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity
view Sigma YAML
title: ConvertTo-SecureString Cmdlet Usage Via CommandLine
id: 74403157-20f5-415d-89a7-c505779585cf
status: test
description: Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.3#examples
author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton
date: 2020-10-11
modified: 2023-02-01
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli:
CommandLine|contains: 'ConvertTo-SecureString'
condition: all of selection_*
falsepositives:
- Legitimate use to pass password to different powershell commands
level: medium
Convert to SIEM query
medium
Copy From Or To Admin Share Or Sysvol Folder
Detects a copy command or a copy utility execution to or from an Admin share or remote
view Sigma YAML
title: Copy From Or To Admin Share Or Sysvol Folder
id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900
status: test
description: Detects a copy command or a copy utility execution to or from an Admin share or remote
references:
- https://twitter.com/SBousseaden/status/1211636381086339073
- https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
- https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html
- https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
author: Florian Roth (Nextron Systems), oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali
date: 2019-12-30
modified: 2025-10-22
tags:
- attack.lateral-movement
- attack.collection
- attack.exfiltration
- attack.t1039
- attack.t1048
- attack.t1021.002
logsource:
category: process_creation
product: windows
detection:
selection_target:
CommandLine|contains:
- '\\\\*\\*$' # example \\SVR_NAME\ADMIN$
- '\Sysvol\'
selection_other_tools:
- Image|endswith:
- '\robocopy.exe'
- '\xcopy.exe'
- OriginalFileName:
- 'robocopy.exe'
- 'XCOPY.EXE'
selection_cmd_img:
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'Cmd.Exe'
selection_cmd_cli:
CommandLine|contains: 'copy'
selection_pwsh_img:
- Image|contains:
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'powershell_ise.exe'
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_pwsh_cli:
CommandLine|contains:
- 'copy-item'
- 'copy '
- 'cpi '
- ' cp '
- 'move '
- ' move-item'
- ' mi '
- ' mv '
condition: selection_target and (selection_other_tools or all of selection_cmd_* or all of selection_pwsh_*)
falsepositives:
- Administrative scripts
level: medium
Convert to SIEM query
medium
Crash Dump Created By Operating System
Detects "BugCheck" errors indicating the system rebooted due to a crash, capturing the bugcheck code, dump file path, and report ID.
view Sigma YAML
title: Crash Dump Created By Operating System
id: 882fbe50-d8d7-4e29-ae80-0648a8556866
related:
- id: 2ff692c2-4594-41ec-8fcb-46587de769e0
type: similar
status: experimental
description: Detects "BugCheck" errors indicating the system rebooted due to a crash, capturing the bugcheck code, dump file path, and report ID.
references:
- https://www.sans.edu/cyber-research/from-crash-compromise-unlocking-potential-windows-crash-dumps-offensive-security/
- https://jasonmull.com/articles/offensive/2025-05-12-windows-crash-dumps-offensive-security/
author: Jason Mull
date: 2025-05-12
tags:
- attack.credential-access
- attack.collection
- attack.t1003.002
- attack.t1005
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Microsoft-Windows-WER-SystemErrorReporting'
EventID: 1001
condition: selection
level: medium
Convert to SIEM query
medium
CrashControl CrashDump Disabled
Detects disabling the CrashDump per registry (as used by HermeticWiper)
view Sigma YAML
title: CrashControl CrashDump Disabled
id: 2ff692c2-4594-41ec-8fcb-46587de769e0
status: test
description: Detects disabling the CrashDump per registry (as used by HermeticWiper)
references:
- https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
author: Tobias Michalski (Nextron Systems)
date: 2022-02-24
modified: 2023-08-17
tags:
- attack.persistence
- attack.stealth
- attack.defense-impairment
- attack.t1564
- attack.t1112
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains: 'SYSTEM\CurrentControlSet\Control\CrashControl'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Legitimate disabling of crashdumps
level: medium
Convert to SIEM query
medium
CreateRemoteThread API and LoadLibrary
Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process
view Sigma YAML
title: CreateRemoteThread API and LoadLibrary
id: 052ec6f6-1adc-41e6-907a-f1c813478bee
status: test
description: Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process
references:
- https://threathunterplaybook.com/hunts/windows/180719-DLLProcessInjectionCreateRemoteThread/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-08-11
modified: 2024-01-22
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055.001
- detection.threat-hunting
logsource:
product: windows
category: create_remote_thread
detection:
selection:
StartModule|endswith: '\kernel32.dll'
StartFunction: 'LoadLibraryA'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Created Files by Microsoft Sync Center
This rule detects suspicious files created by Microsoft Sync Center (mobsync)
view Sigma YAML
title: Created Files by Microsoft Sync Center
id: 409f8a98-4496-4aaa-818a-c931c0a8b832
status: test
description: This rule detects suspicious files created by Microsoft Sync Center (mobsync)
references:
- https://redcanary.com/blog/intelligence-insights-november-2021/
author: elhoim
date: 2022-04-28
modified: 2022-06-02
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055
- attack.t1218
- attack.execution
logsource:
product: windows
category: file_event
detection:
selection_mobsync:
Image|endswith: '\mobsync.exe'
filter_created_file:
TargetFilename|endswith:
- '.dll'
- '.exe'
condition: selection_mobsync and filter_created_file
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Creation Of An User Account
Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
view Sigma YAML
title: Creation Of An User Account
id: 759d0d51-bc99-4b5e-9add-8f5b2c8e7512
status: test
description: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
references:
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files
- https://access.redhat.com/articles/4409591#audit-record-types-2
- https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07
author: Marie Euler, Pawel Mazur
date: 2020-05-18
modified: 2022-12-20
tags:
- attack.t1136.001
- attack.persistence
logsource:
product: linux
service: auditd
detection:
selection_syscall_record_type:
type: 'SYSCALL'
exe|endswith: '/useradd'
selection_add_user_record_type:
type: 'ADD_USER' # This is logged without having to configure audit rules on both Ubuntu and Centos
condition: 1 of selection_*
falsepositives:
- Admin activity
level: medium
Convert to SIEM query
medium
Creation Of Non-Existent System DLL
Detects creation of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes.
Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs.
Thus, the creation of such DLLs may indicate preparation for phantom DLL hijacking attacks.
view Sigma YAML
title: Creation Of Non-Existent System DLL
id: df6ecb8b-7822-4f4b-b412-08f524b4576c
related:
- id: 6b98b92b-4f00-4f62-b4fe-4d1920215771 # ImageLoad rule
type: similar
status: test
description: |
Detects creation of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes.
Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs.
Thus, the creation of such DLLs may indicate preparation for phantom DLL hijacking attacks.
references:
- http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html
- https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/
- https://decoded.avast.io/martinchlumecky/png-steganography/
- https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc
- https://github.com/Wh04m1001/SysmonEoP
- https://itm4n.github.io/cdpsvc-dll-hijacking/
- https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992
- https://securelist.com/passiveneuron-campaign-with-apt-implants-and-cobalt-strike/117745/
- https://www.crowdstrike.com/en-us/blog/4-ways-adversaries-hijack-dlls/
- https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
- https://www.hexacorn.com/blog/2025/06/14/wermgr-exe-boot-offdmpsvc-dll-lolbin/
- https://www.hexacorn.com/blog/2025/06/14/wpr-exe-boottrace-phantom-dll-axeonoffhelper-dll-lolbin/
- https://x.com/0gtweet/status/1564131230941122561
author: Nasreddine Bencherchali (Nextron Systems), fornotes
date: 2022-12-01
modified: 2026-01-24
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- ':\Windows\System32\axeonoffhelper.dll'
- ':\Windows\System32\cdpsgshims.dll'
- ':\Windows\System32\oci.dll'
- ':\Windows\System32\offdmpsvc.dll'
- ':\Windows\System32\shellchromeapi.dll'
- ':\Windows\System32\TSMSISrv.dll'
- ':\Windows\System32\TSVIPSrv.dll'
- ':\Windows\System32\wbem\wbemcomn.dll'
- ':\Windows\System32\WLBSCTRL.dll'
- ':\Windows\System32\wow64log.dll'
- ':\Windows\System32\WptsExtensions.dll'
- '\SprintCSP.dll'
condition: selection
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_create_non_existent_dlls/info.yml
Convert to SIEM query
medium
Creation Of Pod In System Namespace
Detects deployments of pods within the kube-system namespace, which could be intended to imitate system pods.
System pods, created by controllers such as Deployments or DaemonSets have random suffixes in their names.
Attackers can use this fact and name their backdoor pods as if they were created by these controllers to avoid detection.
Deployment of such a backdoor container e.g. named kube-proxy-bv61v, could be attempted in the kube-system namespace alongside the other administrative containers.
view Sigma YAML
title: Creation Of Pod In System Namespace
id: a80d927d-ac6e-443f-a867-e8d6e3897318
status: test
description: |
Detects deployments of pods within the kube-system namespace, which could be intended to imitate system pods.
System pods, created by controllers such as Deployments or DaemonSets have random suffixes in their names.
Attackers can use this fact and name their backdoor pods as if they were created by these controllers to avoid detection.
Deployment of such a backdoor container e.g. named kube-proxy-bv61v, could be attempted in the kube-system namespace alongside the other administrative containers.
references:
- https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Pod%20or%20container%20name%20similarily/
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
- attack.stealth
- attack.t1036.005
logsource:
category: application
product: kubernetes
service: audit
detection:
selection:
verb: 'create'
objectRef.resource: 'pods'
objectRef.namespace: kube-system
condition: selection
falsepositives:
- System components such as daemon-set-controller and kube-scheduler also create pods in the kube-system namespace
level: medium
Convert to SIEM query
medium
Creation Of a Suspicious ADS File Outside a Browser Download
Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers
view Sigma YAML
title: Creation Of a Suspicious ADS File Outside a Browser Download
id: 573df571-a223-43bc-846e-3f98da481eca
status: test
description: Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers
references:
- https://www.bleepingcomputer.com/news/security/exploited-windows-zero-day-lets-javascript-files-bypass-security-warnings/
author: frack113
date: 2022-10-22
modified: 2023-06-12
tags:
- attack.stealth
logsource:
product: windows
category: create_stream_hash
detection:
selection:
Contents|startswith: '[ZoneTransfer] ZoneId=3'
TargetFilename|endswith: ':Zone.Identifier'
TargetFilename|contains:
- '.exe'
- '.scr'
- '.bat'
- '.cmd'
- '.docx'
- '.hta'
- '.jse'
- '.lnk'
- '.pptx'
- '.ps'
- '.reg'
- '.sct'
- '.vb'
- '.wsc'
- '.wsf'
- '.xlsx'
filter_optional_brave:
Image|endswith: '\brave.exe'
filter_optional_chrome:
Image:
- 'C:\Program Files\Google\Chrome\Application\chrome.exe'
- 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
filter_optional_firefox:
Image:
- 'C:\Program Files\Mozilla Firefox\firefox.exe'
- 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
filter_optional_ie:
Image:
- 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
- 'C:\Program Files\Internet Explorer\iexplore.exe'
filter_optional_maxthon:
Image|endswith: '\maxthon.exe'
filter_optional_edge_1:
- Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
- Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
- Image:
- 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
- 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
filter_optional_edge_2:
Image|startswith:
- 'C:\Program Files (x86)\Microsoft\EdgeCore\'
- 'C:\Program Files\Microsoft\EdgeCore\'
Image|endswith:
- '\msedge.exe'
- '\msedgewebview2.exe'
filter_optional_opera:
Image|endswith: '\opera.exe'
filter_optional_safari:
Image|endswith: '\safari.exe'
filter_optional_seamonkey:
Image|endswith: '\seamonkey.exe'
filter_optional_vivaldi:
Image|endswith: '\vivaldi.exe'
filter_optional_whale:
Image|endswith: '\whale.exe'
filter_optional_snipping_tool:
Image|startswith: 'C:\Program Files\WindowsApps\Microsoft.ScreenSketch_'
Image|endswith: '\SnippingTool\SnippingTool.exe'
TargetFilename|startswith: 'C:\Users\'
TargetFilename|contains|all:
- '\AppData\Local\Packages\Microsoft.ScreenSketch_'
- '\TempState\Screenshot '
TargetFilename|endswith: '.png:Zone.Identifier'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Other legitimate browsers not currently included in the filter (please add them)
- Legitimate downloads via scripting or command-line tools (Investigate to determine if it's legitimate)
level: medium
Convert to SIEM query
medium
Creation of WerFault.exe/Wer.dll in Unusual Folder
Detects the creation of a file named "WerFault.exe" or "wer.dll" in an uncommon folder, which could be a sign of WerFault DLL hijacking.
view Sigma YAML
title: Creation of WerFault.exe/Wer.dll in Unusual Folder
id: 28a452f3-786c-4fd8-b8f2-bddbe9d616d1
status: test
description: Detects the creation of a file named "WerFault.exe" or "wer.dll" in an uncommon folder, which could be a sign of WerFault DLL hijacking.
references:
- https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/
author: frack113
date: 2022-05-09
modified: 2026-05-18
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- '\WerFault.exe'
- '\wer.dll'
filter_main_known_locations:
TargetFilename|startswith:
- 'C:\Windows\SoftwareDistribution\'
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
- 'C:\Windows\UUS\' # covers both C:\Windows\UUS\arm64\ and C:\Windows\UUS\packages\
filter_main_process:
Image|endswith: '\wuaucltcore.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
Creation of a Diagcab
Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location)
view Sigma YAML
title: Creation of a Diagcab
id: 3d0ed417-3d94-4963-a562-4a92c940656a
status: test
description: Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location)
references:
- https://threadreaderapp.com/thread/1533879688141086720.html
author: frack113
date: 2022-06-08
tags:
- attack.resource-development
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: '.diagcab'
condition: selection
falsepositives:
- Legitimate microsoft diagcab
level: medium
Convert to SIEM query
medium
CredUI.DLL Loaded By Uncommon Process
Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW".
view Sigma YAML
title: CredUI.DLL Loaded By Uncommon Process
id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784
status: test
description: Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW".
references:
- https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password
- https://learn.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa
- https://github.com/S12cybersecurity/RDPCredentialStealer
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-10-20
modified: 2025-12-09
tags:
- attack.credential-access
- attack.collection
- attack.t1056.002
logsource:
category: image_load
product: windows
detection:
selection:
- ImageLoaded|endswith:
- '\credui.dll'
- '\wincredui.dll'
- OriginalFileName:
- 'credui.dll'
- 'wincredui.dll'
filter_main_generic:
Image|startswith:
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\SystemApps\'
filter_main_full:
Image:
- 'C:\Windows\explorer.exe'
- 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
- 'C:\Windows\regedit.exe' # This FP is triggered for example when choosing the "Connect Network Registry" from the menu
filter_optional_opera:
Image|endswith: '\opera_autoupdate.exe'
filter_optional_process_explorer:
Image|endswith:
- '\procexp64.exe'
- '\procexp.exe'
filter_optional_teams:
Image|startswith: 'C:\Users\'
Image|contains: '\AppData\Local\Microsoft\Teams\'
Image|endswith: '\Teams.exe'
filter_optional_onedrive:
Image|startswith: 'C:\Users\'
Image|contains: '\AppData\Local\Microsoft\OneDrive\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Other legitimate processes loading those DLLs in your environment.
level: medium
Convert to SIEM query
medium
Credential Manager Access By Uncommon Applications
Detects suspicious processes based on name and location that access the windows credential manager and vault.
Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function
view Sigma YAML
title: Credential Manager Access By Uncommon Applications
id: 407aecb1-e762-4acf-8c7b-d087bcff3bb6
status: test
description: |
Detects suspicious processes based on name and location that access the windows credential manager and vault.
Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::cred" function
references:
- https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz
- https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-11
modified: 2024-07-29
tags:
- attack.t1003
- attack.credential-access
logsource:
category: file_access
product: windows
definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
detection:
selection:
FileName|contains:
- '\AppData\Local\Microsoft\Credentials\'
- '\AppData\Roaming\Microsoft\Credentials\'
- '\AppData\Local\Microsoft\Vault\'
- '\ProgramData\Microsoft\Vault\'
filter_system_folders:
Image|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
- 'C:\Windows\system32\'
- 'C:\Windows\SysWOW64\'
condition: selection and not 1 of filter_*
falsepositives:
- Legitimate software installed by the users for example in the "AppData" directory may access these files (for any reason).
# Increase level after false positives filters are good enough
level: medium
Convert to SIEM query
medium
Credentials from Password Stores - Keychain
Detects passwords dumps from Keychain
view Sigma YAML
title: Credentials from Password Stores - Keychain
id: b120b587-a4c2-4b94-875d-99c9807d6955
status: test
description: Detects passwords dumps from Keychain
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.001/T1555.001.md
- https://gist.github.com/Capybara/6228955
author: Tim Ismilyaev, oscd.community, Florian Roth (Nextron Systems)
date: 2020-10-19
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1555.001
logsource:
category: process_creation
product: macos
detection:
selection1:
Image: '/usr/bin/security'
CommandLine|contains:
- 'find-certificate'
- ' export '
selection2:
CommandLine|contains:
- ' dump-keychain '
- ' login-keychain '
condition: 1 of selection*
falsepositives:
- Legitimate administration activities
level: medium
Convert to SIEM query
medium
Cscript/Wscript Potentially Suspicious Child Process
Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32.
Malware such as Pikabot and Qakbot were seen using similar techniques as well as many others.
view Sigma YAML
title: Cscript/Wscript Potentially Suspicious Child Process
id: b6676963-0353-4f88-90f5-36c20d443c6a
status: test
description: |
Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32.
Malware such as Pikabot and Qakbot were seen using similar techniques as well as many others.
references:
- Internal Research
- https://github.com/pr0xylife/Pikabot/blob/fc58126127adf0f65e78f4eec59675523f48f086/Pikabot_30.10.2023.txt
- https://github.com/pr0xylife/Pikabot/blob/fc58126127adf0f65e78f4eec59675523f48f086/Pikabot_22.12.2023.txt
author: Nasreddine Bencherchali (Nextron Systems), Alejandro Houspanossian ('@lekz86')
date: 2023-05-15
modified: 2024-01-02
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
- '\wscript.exe'
- '\cscript.exe'
selection_cli_script_main:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
# Note: Add other combinations that are suspicious
selection_cli_script_option_mshta:
CommandLine|contains|all:
- 'mshta'
- 'http'
selection_cli_script_option_other:
CommandLine|contains:
- 'rundll32'
- 'regsvr32'
- 'msiexec'
selection_cli_standalone:
Image|endswith: '\rundll32.exe'
filter_main_rundll32_known_exports:
Image|endswith: '\rundll32.exe'
CommandLine|contains:
- 'UpdatePerUserSystemParameters'
- 'PrintUIEntry'
- 'ClearMyTracksByProcess'
condition: selection_parent and ( selection_cli_standalone or (selection_cli_script_main and 1 of selection_cli_script_option_*) ) and not 1 of filter_main_*
falsepositives:
- Some false positives might occur with admin or third party software scripts. Investigate and apply additional filters accordingly.
level: medium
Convert to SIEM query
medium
Curl Web Request With Potential Custom User-Agent
Detects execution of "curl.exe" with a potential custom "User-Agent". Attackers can leverage this to download or exfiltrate data via "curl" to a domain that only accept specific "User-Agent" strings
view Sigma YAML
title: Curl Web Request With Potential Custom User-Agent
id: 85de1f22-d189-44e4-8239-dc276b45379b
status: test
description: Detects execution of "curl.exe" with a potential custom "User-Agent". Attackers can leverage this to download or exfiltrate data via "curl" to a domain that only accept specific "User-Agent" strings
references:
- https://labs.withsecure.com/publications/fin7-target-veeam-servers
- https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-07-27
modified: 2025-12-11
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
# Example: This command line would trigger the rule
# curl.exe -H "User-Agent: EvilAgent" http://malicious.example.com
selection_img:
- Image|endswith: '\curl.exe'
- OriginalFileName: 'curl.exe'
selection_header_flag_1:
CommandLine|re: '\s-H\s' # Must be Regex as the flag needs to be case sensitive
selection_header_flag_2:
CommandLine|contains: '--header'
selection_user_agent:
CommandLine|contains: 'User-Agent:'
condition: selection_img and 1 of selection_header_* and selection_user_agent
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent/info.yml
Convert to SIEM query
medium
Curl.EXE Execution With Custom UserAgent
Detects execution of curl.exe with custom useragent options
view Sigma YAML
title: Curl.EXE Execution With Custom UserAgent
id: 3286d37a-00fd-41c2-a624-a672dcd34e60
status: test
description: Detects execution of curl.exe with custom useragent options
references:
- https://curl.se/docs/manpage.html
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#atomic-test-2---malicious-user-agents---cmd
author: frack113
date: 2022-01-23
modified: 2023-02-21
tags:
- attack.command-and-control
- attack.t1071.001
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection_curl:
- Image|endswith: '\curl.exe'
- Product: 'The curl executable'
selection_opt:
CommandLine|contains:
- ' -A '
- ' --user-agent '
condition: all of selection_*
falsepositives:
- Scripts created by developers and admins
- Administrative activity
level: medium
Convert to SIEM query
medium
CurrentControlSet Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
view Sigma YAML
title: CurrentControlSet Autorun Keys Modification
id: f674e36a-4b91-431e-8aef-f8a96c2aca35
related:
- id: 17f878b8-9968-4578-b814-c4217fc5768c
type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: registry_set
product: windows
detection:
system_control_base:
TargetObject|contains: '\SYSTEM\CurrentControlSet\Control'
system_control_keys:
TargetObject|contains:
- '\Terminal Server\WinStations\RDP-Tcp\InitialProgram'
- '\Terminal Server\Wds\rdpwd\StartupPrograms'
- '\SecurityProviders\SecurityProviders'
- '\SafeBoot\AlternateShell'
- '\Print\Providers'
- '\Print\Monitors'
- '\NetworkProvider\Order'
- '\Lsa\Notification Packages'
- '\Lsa\Authentication Packages'
- '\BootVerificationProgram\ImagePath'
filter_empty:
Details: '(Empty)'
filter_cutepdf:
Image: 'C:\Windows\System32\spoolsv.exe'
TargetObject|contains: '\Print\Monitors\CutePDF Writer Monitor'
Details:
- 'cpwmon64_v40.dll'
- 'CutePDF Writer'
filter_onenote:
Image: C:\Windows\System32\spoolsv.exe
TargetObject|contains: 'Print\Monitors\Appmon\Ports\Microsoft.Office.OneNote_'
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
filter_poqexec:
Image: 'C:\Windows\System32\poqexec.exe'
TargetObject|endswith: '\NetworkProvider\Order\ProviderOrder'
filter_realvnc:
Image: 'C:\Windows\System32\spoolsv.exe'
TargetObject|endswith: '\Print\Monitors\MONVNC\Driver'
Details: 'VNCpm.dll'
condition: all of system_control_* and not 1 of filter_*
falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
level: medium
Convert to SIEM query
medium
CurrentVersion Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
view Sigma YAML
title: CurrentVersion Autorun Keys Modification
id: 20f0ee37-5942-4e45-b7d5-c5b5db9df5cd
related:
- id: 17f878b8-9968-4578-b814-c4217fc5768c
type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
- https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2025-10-22
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: registry_set
product: windows
detection:
selection_current_version_base:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion'
selection_current_version_keys:
TargetObject|contains:
- '\ShellServiceObjectDelayLoad'
- '\Run\'
- '\RunOnce\'
- '\RunOnceEx\'
- '\RunServices\'
- '\RunServicesOnce\'
- '\Policies\System\Shell'
- '\Policies\Explorer\Run'
- '\Group Policy\Scripts\Startup'
- '\Group Policy\Scripts\Shutdown'
- '\Group Policy\Scripts\Logon'
- '\Group Policy\Scripts\Logoff'
- '\Explorer\ShellServiceObjects'
- '\Explorer\ShellIconOverlayIdentifiers'
- '\Explorer\ShellExecuteHooks'
- '\Explorer\SharedTaskScheduler'
- '\Explorer\Browser Helper Objects'
- '\Authentication\PLAP Providers'
- '\Authentication\Credential Providers'
- '\Authentication\Credential Provider Filters'
filter_main_generic_all:
- Details: '(Empty)'
- TargetObject|endswith: '\NgcFirst\ConsecutiveSwitchCount'
- Image|endswith:
- '\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe' # C:\Users\*\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
- '\AppData\Roaming\Spotify\Spotify.exe'
- '\AppData\Local\WebEx\WebexHost.exe'
- Image:
- 'C:\WINDOWS\system32\devicecensus.exe'
- 'C:\Windows\system32\winsat.exe'
- 'C:\Program Files\Microsoft OneDrive\StandaloneUpdater\OneDriveSetup.exe'
- 'C:\Program Files (x86)\Microsoft OneDrive\StandaloneUpdater\OneDriveSetup.exe'
- 'C:\Program Files\Microsoft OneDrive\Update\OneDriveSetup.exe'
- 'C:\Program Files (x86)\Microsoft OneDrive\Update\OneDriveSetup.exe'
- 'C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe'
- 'C:\Program Files (x86)\Microsoft Office\root\integration\Addons\OneDriveSetup.exe'
- 'C:\Program Files\KeePass Password Safe 2\ShInstUtil.exe'
- 'C:\Program Files\Everything\Everything.exe'
- 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
- 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
filter_main_null:
Details: null
filter_main_logonui:
Image: 'C:\Windows\system32\LogonUI.exe'
TargetObject|contains:
- '\Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}\' # PIN
- '\Authentication\Credential Providers\{BEC09223-B018-416D-A0AC-523971B639F5}\' # fingerprint
- '\Authentication\Credential Providers\{8AF662BF-65A0-4D0A-A540-A338A999D36F}\' # facial recognizion
- '\Authentication\Credential Providers\{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}\' # Trusted Signal (Phone proximity, Network location)
filter_main_edge:
Image|startswith:
- 'C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\'
- 'C:\Program Files (x86)\Microsoft\EdgeWebView\'
- 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
filter_main_defender:
Image: 'C:\Program Files\Windows Defender\MsMpEng.exe'
filter_main_teams:
Image|endswith: '\Microsoft\Teams\current\Teams.exe'
Details|contains: '\Microsoft\Teams\Update.exe --processStart '
filter_main_ctfmon:
Image: 'C:\Windows\system32\userinit.exe'
Details: 'ctfmon.exe /n'
filter_optional_dropbox:
Image: 'C:\Windows\system32\regsvr32.exe'
TargetObject|contains: 'DropboxExt'
Details|endswith: 'A251-47B7-93E1-CDD82E34AF8B}'
filter_optional_opera_1:
TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Opera Browser Assistant'
Details: 'C:\Program Files\Opera\assistant\browser_assistant.exe'
filter_optional_opera_2:
TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Run\Opera Stable'
Details:
- 'C:\Program Files\Opera\launcher.exe'
- 'C:\Program Files (x86)\Opera\launcher.exe'
filter_optional_itunes:
TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iTunesHelper'
Details: '"C:\Program Files\iTunes\iTunesHelper.exe"'
filter_optional_zoom:
TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zoommsirepair'
Details: '"C:\Program Files\Zoom\bin\installer.exe" /repair'
filter_optional_greenshot:
TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Greenshot'
Details: 'C:\Program Files\Greenshot\Greenshot.exe'
filter_optional_googledrive1:
TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Run\GoogleDriveFS'
Details|startswith: 'C:\Program Files\Google\Drive File Stream\'
Details|contains: '\GoogleDriveFS.exe'
filter_optional_googledrive2:
TargetObject|contains: 'GoogleDrive'
Details:
- '{CFE8B367-77A7-41D7-9C90-75D16D7DC6B6}'
- '{A8E52322-8734-481D-A7E2-27B309EF8D56}'
- '{C973DA94-CBDF-4E77-81D1-E5B794FBD146}'
- '{51EF1569-67EE-4AD6-9646-E726C3FFC8A2}'
filter_optional_onedrive:
Details|startswith:
- 'C:\Windows\system32\cmd.exe /q /c rmdir /s /q "C:\Users\'
- 'C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\'
Details|contains: '\AppData\Local\Microsoft\OneDrive\'
filter_optional_python:
TargetObject|contains: '\Microsoft\Windows\CurrentVersion\RunOnce\{'
Details|contains|all:
- '\AppData\Local\Package Cache\{'
- '}\python-'
Details|endswith: '.exe" /burn.runonce'
filter_optional_officeclicktorun:
Image|startswith:
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
- 'C:\Program Files (x86)\Common Files\Microsoft Shared\ClickToRun\'
Image|endswith: '\OfficeClickToRun.exe'
filter_optional_teams:
Image|endswith: '\Microsoft\Teams\current\Teams.exe'
Details|contains: '\Microsoft\Teams\Update.exe --processStart'
filter_optional_AVG_setup:
Image|contains:
- 'C:\Program Files\AVG\Antivirus\Setup\'
- 'C:\Program Files (x86)\AVG\Antivirus\Setup\'
- '\instup.exe'
Details:
- '"C:\Program Files\AVG\Antivirus\AvLaunch.exe" /gui'
- '"C:\Program Files (x86)\AVG\Antivirus\AvLaunch.exe" /gui'
- '{472083B0-C522-11CF-8763-00608CC02F24}'
- '{472083B1-C522-11CF-8763-00608CC02F24}'
filter_optional_Avast:
Image|contains:
- 'C:\Program Files\Avast Software\Avast\Setup\'
- 'C:\Program Files (x86)\Avast Software\Avast\Setup\'
- '\instup.exe'
Details:
- '"C:\Program Files\Avast Software\Avast\AvLaunch.exe" /gui'
- '"C:\Program Files (x86)\Avast Software\Avast\AvLaunch.exe" /gui'
filter_optional_AVG_avgtoolsvc:
Image:
- 'C:\Program Files\AVG\Antivirus\avgToolsSvc.exe'
- 'C:\Program Files (x86)\AVG\Antivirus\avgToolsSvc.exe'
TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run\'
Details: 'Binary Data'
filter_optional_aurora_dashboard:
Image|endswith:
- '\aurora-agent-64.exe'
- '\aurora-agent.exe'
TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Run\aurora-dashboard'
Details: 'C:\Program Files\Aurora-Agent\tools\aurora-dashboard.exe'
filter_optional_everything:
TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Run\Everything'
Details|endswith: '\Everything\Everything.exe" -startup' # We remove the starting part as it could be installed in different locations
filter_optional_discord:
TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Run\Discord'
Details|endswith: '\Discord\Update.exe --processStart Discord.exe'
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
level: medium
Convert to SIEM query
medium
CurrentVersion NT Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
view Sigma YAML
title: CurrentVersion NT Autorun Keys Modification
id: cbf93e5d-ca6c-4722-8bea-e9119007c248
related:
- id: 17f878b8-9968-4578-b814-c4217fc5768c
type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2025-10-22
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
logsource:
category: registry_set
product: windows
detection:
selection_nt_current_version_base:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
selection_nt_current_version:
TargetObject|contains:
- '\Winlogon\VmApplet'
- '\Winlogon\Userinit'
- '\Winlogon\Taskman'
- '\Winlogon\Shell'
- '\Winlogon\GpExtensions'
- '\Winlogon\AppSetup'
- '\Winlogon\AlternateShells\AvailableShells'
- '\Windows\IconServiceLib'
- '\Windows\Appinit_Dlls'
- '\Image File Execution Options' # Covered in better details in 36803969-5421-41ec-b92f-8500f79c23b0
- '\Font Drivers'
- '\Drivers32'
- '\Windows\Run'
- '\Windows\Load'
filter_main_empty:
Details: '(Empty)'
filter_main_null:
Details: null
filter_main_poqexec:
Image: 'C:\Windows\System32\poqexec.exe'
filter_main_legitimate_subkey: # Legitimately used subkeys of \Image File Execution Options, which are not used for persistence (see https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/)
TargetObject|contains: '\Image File Execution Options\'
TargetObject|endswith:
- '\DisableExceptionChainValidation'
- '\MitigationOptions'
filter_main_security_extension_dc:
Image: 'C:\Windows\system32\svchost.exe'
TargetObject|contains:
- '\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\PreviousPolicyAreas'
- '\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}\MaxNoGPOListChangesInterval'
Details:
- 'DWORD (0x00000001)'
- 'DWORD (0x00000009)'
- 'DWORD (0x000003c0)'
filter_main_runtimebroker:
Image: 'C:\Windows\System32\RuntimeBroker.exe'
TargetObject|contains: '\runtimebroker.exe\Microsoft.Windows.ShellExperienceHost'
filter_optional_edge:
Image|startswith: 'C:\Program Files (x86)\Microsoft\Temp\'
Image|endswith: '\MicrosoftEdgeUpdate.exe'
filter_optional_avguard:
Image|startswith:
- 'C:\Program Files (x86)\Avira\Antivirus\avguard.exe'
- 'C:\Program Files\Avira\Antivirus\avguard.exe'
TargetObject|contains: 'SOFTWARE\WOW6432Node\Avira\Antivirus\Overwrite_Keys\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\'
TargetObject|endswith:
- '\userinit\UseAsDefault'
- '\shell\UseAsDefault'
Details:
- 'explorer.exe'
- 'C:\Windows\system32\userinit.exe,'
filter_optional_msoffice:
- TargetObject|contains:
- '\ClickToRunStore\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\'
- '\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\'
- Image:
- 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
- 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
filter_optional_officeclicktorun:
Image|startswith:
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
Image|endswith: '\OfficeClickToRun.exe'
filter_optional_ngen:
Image|startswith: 'C:\Windows\Microsoft.NET\Framework'
Image|endswith: '\ngen.exe'
filter_optional_onedrive:
Image|endswith: '\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe'
TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary'
Details|startswith: 'C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\'
Details|endswith: '\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe"'
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
level: medium
Convert to SIEM query
medium
DCERPC SMB Spoolss Named Pipe
Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
view Sigma YAML
title: DCERPC SMB Spoolss Named Pipe
id: 214e8f95-100a-4e04-bb31-ef6cba8ce07e
status: test
description: Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
references:
- https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
- https://dirkjanm.io/a-different-way-of-abusing-zerologon/
- https://twitter.com/_dirkjan/status/1309214379003588608
author: OTR (Open Threat Research)
date: 2018-11-28
modified: 2022-08-11
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
product: windows
service: security
detection:
selection:
EventID: 5145
ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$
RelativeTargetName: spoolss
condition: selection
falsepositives:
- 'Domain Controllers acting as printer servers too? :)'
level: medium
Convert to SIEM query
medium
DLL Call by Ordinal Via Rundll32.EXE
Detects calls of DLLs exports by ordinal numbers via rundll32.dll.
view Sigma YAML
title: DLL Call by Ordinal Via Rundll32.EXE
id: e79a9e79-eb72-4e78-a628-0e7e8f59e89c
status: stable
description: Detects calls of DLLs exports by ordinal numbers via rundll32.dll.
references:
- https://web.archive.org/web/20200530031906/https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/
- https://github.com/Neo23x0/DLLRunner
- https://twitter.com/cyb3rops/status/1186631731543236608
- https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/
author: Florian Roth (Nextron Systems)
date: 2019-10-22
modified: 2024-07-16
tags:
- attack.stealth
- attack.t1218.011
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
selection_cli:
CommandLine|contains:
- ',#'
- ', #'
- '.dll #' # Sysmon removes , in its log
- '.ocx #' # HermeticWizard
filter_optional_edge:
CommandLine|contains|all:
- 'EDGEHTML.dll'
- '#141'
filter_optional_vsbuild_dll:
ParentImage|contains:
- '\Msbuild\Current\Bin\'
- '\VC\Tools\MSVC\'
- '\Tracker.exe'
CommandLine|contains:
- '\FileTracker32.dll,#1'
- '\FileTracker32.dll",#1'
- '\FileTracker64.dll,#1'
- '\FileTracker64.dll",#1'
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment.
- Windows control panel elements have been identified as source (mmc).
level: medium
Convert to SIEM query
medium
DLL Execution Via Register-cimprovider.exe
Detects using register-cimprovider.exe to execute arbitrary dll file.
view Sigma YAML
title: DLL Execution Via Register-cimprovider.exe
id: a2910908-e86f-4687-aeba-76a5f996e652
status: test
description: Detects using register-cimprovider.exe to execute arbitrary dll file.
references:
- https://twitter.com/PhilipTsukerman/status/992021361106268161
- https://lolbas-project.github.io/lolbas/Binaries/Register-cimprovider/
author: Ivan Dyachkov, Yulia Fomina, oscd.community
date: 2020-10-07
modified: 2021-11-27
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\register-cimprovider.exe'
CommandLine|contains|all:
- '-path'
- 'dll'
condition: selection
falsepositives:
- Unknown
level: medium
Convert to SIEM query
medium
DLL Execution via Rasautou.exe
Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.
view Sigma YAML
title: DLL Execution via Rasautou.exe
id: cd3d1298-eb3b-476c-ac67-12847de55813
status: test
description: Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Rasautou/
- https://github.com/fireeye/DueDLLigence
- https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html
author: Julia Fomina, oscd.community
date: 2020-10-09
tags:
- attack.stealth
- attack.t1218
logsource:
product: windows
category: process_creation
definition: Since options '-d' and '-p' were removed in Windows 10 this rule is relevant only for Windows before 10. And as Windows 7 doesn't log command line in 4688 by default, to detect this attack you need Sysmon 1 configured or KB3004375 installed for command-line auditing (https://support.microsoft.com/en-au/help/3004375/microsoft-security-advisory-update-to-improve-windows-command-line-aud)
detection:
selection_img:
- Image|endswith: '\rasautou.exe'
- OriginalFileName: 'rasdlui.exe'
selection_cli:
CommandLine|contains|all:
- ' -d '
- ' -p '
condition: all of selection*
falsepositives:
- Unlikely
level: medium
Convert to SIEM query
Showing 201-250 of 1,492