Tool
SIEM
Sigma (generic) detection rules
3,750 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Expand any rule to see its raw YAML and convert it inline to native query syntax. Pick a platform above to browse every rule already rendered in that language.
Get the raw rules from SigmaHQ Detection Rules
The raw generic YAML, served by SigmaHQ. Pick a platform above to download a ready-to-deploy converted pack.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence43
Privilege Escalation20
Stealth83
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 3,750
high
Strong
Medium FP
SMB Create Remote File Admin Share
Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).
view Sigma YAML
title: SMB Create Remote File Admin Share
id: b210394c-ba12-4f89-9117-44a2464b9511
status: test
description: Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).
references:
- https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml
- https://securitydatasets.com/notebooks/atomic/windows/lateral_movement/SDWIN-200806015757.html?highlight=create%20file
author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)
date: 2020-08-06
modified: 2025-10-17
tags:
- attack.lateral-movement
- attack.t1021.002
logsource:
product: windows
service: security
detection:
selection:
EventID: 5145
ShareName|endswith: 'C$'
AccessMask: '0x2'
filter_main_subjectusername:
SubjectUserName|endswith: '$'
filter_optional_local_ip:
IpAddress: '::1'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
SNAKE Malware Covert Store Registry Key
Detects any registry event that targets the key 'SECURITY\Policy\Secrets\n' which is a key related to SNAKE malware as described by CISA
view Sigma YAML
title: SNAKE Malware Covert Store Registry Key
id: d0fa35db-0e92-400e-aa16-d32ae2521618
status: test
description: Detects any registry event that targets the key 'SECURITY\Policy\Secrets\n' which is a key related to SNAKE malware as described by CISA
references:
- https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-11
tags:
- attack.persistence
- detection.emerging-threats
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|endswith: 'SECURITY\Policy\Secrets\n'
condition: selection
level: high
Convert to SIEM query
high
Moderate
Medium FP
SNAKE Malware WerFault Persistence File Creation
Detects the creation of a file named "WerFault.exe" in the WinSxS directory by a non-system process, which can be indicative of potential SNAKE malware activity
view Sigma YAML
title: SNAKE Malware WerFault Persistence File Creation
id: 64827580-e4c3-4c64-97eb-c72325d45399
status: test
description: Detects the creation of a file named "WerFault.exe" in the WinSxS directory by a non-system process, which can be indicative of potential SNAKE malware activity
references:
- https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-10
modified: 2023-05-18
tags:
- attack.execution
- detection.emerging-threats
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|startswith: 'C:\Windows\WinSxS\'
TargetFilename|endswith: '\WerFault.exe'
filter_main_system_location:
Image|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
SOURGUM Actor Behaviours
Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM
view Sigma YAML
title: SOURGUM Actor Behaviours
id: 7ba08e95-1e0b-40cd-9db5-b980555e42fd
status: test
description: Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM
references:
- https://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection
- https://github.com/Azure/Azure-Sentinel/blob/43e9be273dca321295190bfc4902858e009d4a35/Detections/MultipleDataSources/SOURGUM_IOC.yaml
- https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
author: MSTIC, FPT.EagleEye
date: 2021-06-15
modified: 2022-10-09
tags:
- attack.t1546
- attack.t1546.015
- attack.persistence
- attack.privilege-escalation
- detection.emerging-threats
logsource:
product: windows
category: process_creation
detection:
selection:
Image|contains:
- 'windows\system32\Physmem.sys'
- 'Windows\system32\ime\SHARED\WimBootConfigurations.ini'
- 'Windows\system32\ime\IMEJP\WimBootConfigurations.ini'
- 'Windows\system32\ime\IMETC\WimBootConfigurations.ini'
registry_image:
Image|contains:
- 'windows\system32\filepath2'
- 'windows\system32\ime'
CommandLine|contains: 'reg add'
registry_key:
CommandLine|contains:
- 'HKEY_LOCAL_MACHINE\software\classes\clsid\{7c857801-7381-11cf-884d-00aa004b2e24}\inprocserver32'
- 'HKEY_LOCAL_MACHINE\software\classes\clsid\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\inprocserver32'
condition: selection or all of registry_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
SQL Injection Strings In URI
Detects potential SQL injection attempts via GET requests in access logs.
view Sigma YAML
title: SQL Injection Strings In URI
id: 5513deaf-f49a-46c2-a6c8-3f111b5cb453
status: test
description: Detects potential SQL injection attempts via GET requests in access logs.
references:
- https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/
- https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/
- https://brightsec.com/blog/sql-injection-payloads/
- https://github.com/payloadbox/sql-injection-payload-list
- https://book.hacktricks.xyz/pentesting-web/sql-injection/mysql-injection
author: Saw Win Naung, Nasreddine Bencherchali (Nextron Systems), Thurein Oo (Yoma Bank)
date: 2020-02-22
modified: 2023-09-04
tags:
- attack.initial-access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-method: 'GET'
keywords:
- '@@version'
- '%271%27%3D%271'
- '=select '
- '=select('
- '=select%20'
- 'concat_ws('
- 'CONCAT(0x'
- 'from mysql.innodb_table_stats'
- 'from%20mysql.innodb_table_stats'
- 'group_concat('
- 'information_schema.tables'
- 'json_arrayagg('
- 'or 1=1#'
- 'or%201=1#'
- 'order by '
- 'order%20by%20'
- 'select * '
- 'select database()'
- 'select version()'
- 'select%20*%20'
- 'select%20database()'
- 'select%20version()'
- 'select%28sleep%2810%29'
- 'SELECTCHAR('
- 'table_schema'
- 'UNION ALL SELECT'
- 'UNION SELECT'
- 'UNION%20ALL%20SELECT'
- 'UNION%20SELECT'
- "'1'='1"
filter_main_status:
sc-status: 404
condition: selection and keywords and not 1 of filter_main_*
falsepositives:
- Java scripts and CSS Files
- User searches in search boxes of the respective website
- Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as "User Agent" strings and more response codes
level: high
Convert to SIEM query
high
Moderate
Medium FP
SQLite Chromium Profile Data DB Access
Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing.
view Sigma YAML
title: SQLite Chromium Profile Data DB Access
id: 24c77512-782b-448a-8950-eddb0785fc71
status: test
description: Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows
- https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/
author: TropChaud
date: 2022-12-19
modified: 2023-01-19
tags:
- attack.credential-access
- attack.t1539
- attack.t1555.003
- attack.collection
- attack.t1005
logsource:
category: process_creation
product: windows
detection:
selection_sql:
- Product: SQLite
- Image|endswith:
- '\sqlite.exe'
- '\sqlite3.exe'
selection_chromium:
CommandLine|contains:
- '\User Data\' # Most common folder for user profile data among Chromium browsers
- '\Opera Software\' # Opera
- '\ChromiumViewer\' # Sleipnir (Fenrir)
selection_data:
CommandLine|contains:
- 'Login Data' # Passwords
- 'Cookies'
- 'Web Data' # Credit cards, autofill data
- 'History'
- 'Bookmarks'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
SQLite Firefox Profile Data DB Access
Detect usage of the "sqlite" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.
view Sigma YAML
title: SQLite Firefox Profile Data DB Access
id: 4833155a-4053-4c9c-a997-777fcea0baa7
status: test
description: Detect usage of the "sqlite" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows
- https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/
author: frack113
date: 2022-04-08
modified: 2023-01-19
tags:
- attack.credential-access
- attack.t1539
- attack.collection
- attack.t1005
logsource:
category: process_creation
product: windows
detection:
selection_sql:
- Product: SQLite
- Image|endswith:
- '\sqlite.exe'
- '\sqlite3.exe'
selection_firefox:
CommandLine|contains:
- 'cookies.sqlite'
- 'places.sqlite' # Bookmarks, history
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
SafeBoot Registry Key Deleted Via Reg.EXE
Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products
view Sigma YAML
title: SafeBoot Registry Key Deleted Via Reg.EXE
id: fc0e89b5-adb0-43c1-b749-c12a10ec37de
related:
- id: d7662ff6-9e97-4596-a61d-9839e32dee8d
type: similar
status: test
description: Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products
references:
- https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html
author: Nasreddine Bencherchali (Nextron Systems), Tim Shelton
date: 2022-08-08
modified: 2023-02-04
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: 'reg.exe'
- OriginalFileName: 'reg.exe'
selection_delete:
CommandLine|contains|all:
- ' delete '
- '\SYSTEM\CurrentControlSet\Control\SafeBoot'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Low FP
Scanner PoC for CVE-2019-0708 RDP RCE Vuln
Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep
view Sigma YAML
title: Scanner PoC for CVE-2019-0708 RDP RCE Vuln
id: 8400629e-79a9-4737-b387-5db940ab2367
status: test
description: Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to CVE-2019-0708 RDP RCE aka BlueKeep
references:
- https://twitter.com/AdamTheAnalyst/status/1134394070045003776
- https://web.archive.org/web/20190710034152/https://github.com/zerosum0x0/CVE-2019-0708
author: Florian Roth (Nextron Systems), Adam Bradbury (idea)
date: 2019-06-02
modified: 2022-12-25
tags:
- attack.lateral-movement
- attack.t1210
- car.2013-07-002
- detection.emerging-threats
- cve.2019-0708
logsource:
product: windows
service: security
detection:
selection:
EventID: 4625
TargetUserName: AAAAAAA
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Scheduled Task Creation Masquerading as System Processes
Detects the creation of scheduled tasks that involve system processes, which may indicate malicious actors masquerading as or abusing these processes to execute payloads or maintain persistence.
view Sigma YAML
title: Scheduled Task Creation Masquerading as System Processes
id: 9f8573c9-22b4-40e3-89c1-72bc2b8d49ab
status: experimental
description: Detects the creation of scheduled tasks that involve system processes, which may indicate malicious actors masquerading as or abusing these processes to execute payloads or maintain persistence.
references:
- https://tria.ge/241015-l98snsyeje/behavioral2
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-02-05
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.stealth
- attack.t1053.005
- attack.t1036.004
- attack.t1036.005
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_cli:
CommandLine|contains|windash: ' /create '
CommandLine|contains:
- ' audiodg'
- ' conhost'
- ' dwm.exe'
- ' explorer'
- ' lsass'
- ' lsm'
- ' mmc'
- ' msiexec'
- ' regsvr32'
- ' rundll32'
- ' services'
- ' spoolsv'
- ' svchost'
- ' taskeng'
- ' taskhost'
- ' wininit'
- ' winlogon'
condition: all of selection_*
falsepositives:
- Legitimate system administration tasks scheduling trusted system processes.
level: high
Convert to SIEM query
high
Strong
Medium FP
Scheduled Task Executing Encoded Payload from Registry
Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell.
view Sigma YAML
title: Scheduled Task Executing Encoded Payload from Registry
id: c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78
status: test
description: Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell.
references:
- https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
author: pH-T (Nextron Systems), @Kostastsale, TheDFIRReport, X__Junior (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-02-12
modified: 2023-02-04
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
- attack.t1059.001
logsource:
product: windows
category: process_creation
detection:
selection_img:
# schtasks.exe /Create /F /TN "{97F2F70B-10D1-4447-A2F3-9B070C86E261}" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\SOFTWARE\Pvoeooxf).yzbbvhhdypa))) " /SC MINUTE /MO 30
- Image|endswith: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_cli_create:
CommandLine|contains: '/Create'
selection_cli_encoding:
CommandLine|contains:
- 'FromBase64String'
- 'encodedcommand'
selection_cli_get:
CommandLine|contains:
- 'Get-ItemProperty'
- ' gp ' # Alias
selection_cli_hive:
CommandLine|contains:
- 'HKCU:'
- 'HKLM:'
- 'registry::'
- 'HKEY_'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Scheduled TaskCache Change by Uncommon Program
Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious
view Sigma YAML
title: Scheduled TaskCache Change by Uncommon Program
id: 4720b7df-40c3-48fd-bbdf-fd4b3c464f0d
status: test
description: Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://labs.f-secure.com/blog/scheduled-task-tampering/
author: Syed Hasan (@syedhasan009)
date: 2021-06-18
modified: 2025-10-22
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053
- attack.t1053.005
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\'
filter_main_empty:
Details: '(Empty)'
filter_main_null:
Details: null
filter_main_other:
TargetObject|contains:
- 'Microsoft\Windows\UpdateOrchestrator'
- 'Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask\Index'
- 'Microsoft\Windows\Flighting\OneSettings\RefreshCache\Index'
filter_main_mousocoreworker:
Image|endswith: 'C:\Windows\System32\MoUsoCoreWorker.exe'
filter_main_services:
Image|endswith: 'C:\Windows\System32\services.exe'
filter_main_tiworker:
Image|startswith: 'C:\Windows\'
Image|endswith: '\TiWorker.exe'
filter_main_svchost:
Image: 'C:\WINDOWS\system32\svchost.exe'
filter_main_ngen:
Image|startswith: 'C:\Windows\Microsoft.NET\Framework' # \Framework\ and \Framework64\
Image|endswith: '\ngen.exe'
TargetObject|contains:
- '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B66B135D-DA06-4FC4-95F8-7458E1D10129}'
- '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\.NET Framework\.NET Framework NGEN'
filter_main_office:
Image:
- 'C:\Program Files\Microsoft Office\root\Integration\Integrator.exe'
- 'C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe'
- 'C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe'
- 'C:\Program Files (x86)\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe'
filter_main_msiexec:
Image: 'C:\Windows\System32\msiexec.exe'
filter_main_explorer:
Image: 'C:\Windows\explorer.exe'
TargetObject|contains: '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\PLA\Server Manager Performance Monitor\'
filter_main_system:
Image: 'System'
filter_main_runtimebroker:
Image: 'C:\Windows\System32\RuntimeBroker.exe'
filter_optional_dropbox_updater:
Image:
- 'C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe'
- 'C:\Program Files\Dropbox\Update\DropboxUpdate.exe'
filter_optional_edge:
Image|endswith:
- 'C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe'
- 'C:\Program Files\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe'
filter_optional_onedrive:
Image|endswith:
- 'C:\Program Files (x86)\Microsoft OneDrive\OneDrive.exe'
- 'C:\Program Files\Microsoft OneDrive\OneDrive.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Low FP
Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor
Hunts for known SVR-specific scheduled task names
view Sigma YAML
title: Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor
id: 8fa65166-f463-4fd2-ad4f-1436133c52e1
related:
- id: 2bfc1373-0220-4fbd-8b10-33ddafd2a142
type: similar
status: test
description: Hunts for known SVR-specific scheduled task names
author: CISA
references:
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
date: 2023-12-18
tags:
- attack.persistence
- detection.emerging-threats
logsource:
service: security
product: windows
detection:
selection:
EventID:
- 4698
- 4699
- 4702
TaskName:
- '\defender'
- '\Microsoft\DefenderService'
- '\Microsoft\Windows\Application Experience\StartupAppTaskCheck'
- '\Microsoft\Windows\Application Experience\StartupAppTaskCkeck'
- '\Microsoft\Windows\ATPUpd'
- '\Microsoft\Windows\Data Integrity Scan\Data Integrity Update'
- '\Microsoft\Windows\DefenderUPDService'
- '\Microsoft\Windows\IISUpdateService'
- '\Microsoft\Windows\Speech\SpeechModelInstallTask'
- '\Microsoft\Windows\WiMSDFS'
- '\Microsoft\Windows\Windows Defender\Defender Update Service'
- '\Microsoft\Windows\Windows Defender\Service Update'
- '\Microsoft\Windows\Windows Error Reporting\CheckReporting'
- '\Microsoft\Windows\Windows Error Reporting\SubmitReporting'
- '\Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStart'
- '\Microsoft\Windows\WindowsDefenderService'
- '\Microsoft\Windows\WindowsDefenderService2'
- '\Microsoft\Windows\WindowsUpdate\Scheduled AutoCheck'
- '\Microsoft\Windows\WindowsUpdate\Scheduled Check'
- '\WindowUpdate'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Low FP
Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler
Hunts for known SVR-specific scheduled task names
view Sigma YAML
title: Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler
id: 2bfc1373-0220-4fbd-8b10-33ddafd2a142
related:
- id: 8fa65166-f463-4fd2-ad4f-1436133c52e1 # Security-Audting Eventlog
type: similar
status: test
description: Hunts for known SVR-specific scheduled task names
author: CISA
references:
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
date: 2023-12-18
tags:
- attack.persistence
- detection.emerging-threats
logsource:
product: windows
service: taskscheduler
definition: 'Requirements: The "Microsoft-Windows-TaskScheduler/Operational" is disabled by default and needs to be enabled in order for this detection to trigger'
detection:
selection:
EventID:
- 129 # Task Created
- 140 # Task Updated
- 141 # Task Deleted
TaskName:
- '\defender'
- '\Microsoft\DefenderService'
- '\Microsoft\Windows\Application Experience\StartupAppTaskCheck'
- '\Microsoft\Windows\Application Experience\StartupAppTaskCkeck'
- '\Microsoft\Windows\ATPUpd'
- '\Microsoft\Windows\Data Integrity Scan\Data Integrity Update'
- '\Microsoft\Windows\DefenderUPDService'
- '\Microsoft\Windows\IISUpdateService'
- '\Microsoft\Windows\Speech\SpeechModelInstallTask'
- '\Microsoft\Windows\WiMSDFS'
- '\Microsoft\Windows\Windows Defender\Defender Update Service'
- '\Microsoft\Windows\Windows Defender\Service Update'
- '\Microsoft\Windows\Windows Error Reporting\CheckReporting'
- '\Microsoft\Windows\Windows Error Reporting\SubmitReporting'
- '\Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStart'
- '\Microsoft\Windows\WindowsDefenderService'
- '\Microsoft\Windows\WindowsDefenderService2'
- '\Microsoft\Windows\WindowsUpdate\Scheduled AutoCheck'
- '\Microsoft\Windows\WindowsUpdate\Scheduled Check'
- '\WindowUpdate'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Schtasks Creation Or Modification With SYSTEM Privileges
Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges
view Sigma YAML
title: Schtasks Creation Or Modification With SYSTEM Privileges
id: 89ca78fd-b37c-4310-b3d3-81a023f83936
status: test
description: Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges
references:
- https://www.elastic.co/security-labs/exploring-the-qbot-attack-pattern
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-28
modified: 2025-02-15
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
logsource:
product: windows
category: process_creation
detection:
selection_root:
Image|endswith: '\schtasks.exe'
CommandLine|contains:
- ' /change '
- ' /create '
selection_run:
CommandLine|contains: '/ru '
selection_user:
CommandLine|contains:
- 'NT AUT' # This covers the usual NT AUTHORITY\SYSTEM
- ' SYSTEM ' # SYSTEM is a valid value for schtasks hence it gets it's own value with space
filter_optional_teamviewer:
# FP from test set in SIGMA
# Cannot use ParentImage on all OSes for 4688 events
# ParentImage|contains|all:
# - '\AppData\Local\Temp\'
# - 'TeamViewer_.exe'
Image|endswith: '\schtasks.exe'
CommandLine|contains|all:
- '/TN TVInstallRestore'
- '\TeamViewer_.exe'
filter_optional_office:
CommandLine|contains|all:
# https://answers.microsoft.com/en-us/msoffice/forum/all/office-15-subscription-heartbeat-task-created-on/43ab5e53-a9fb-47c6-8c14-44889974b9ff
- 'Subscription Heartbeat'
- '\HeartbeatConfig.xml'
- '\Microsoft Shared\OFFICE'
filter_optional_avira:
CommandLine|contains:
- '/Create /F /RU System /SC WEEKLY /TN AviraSystemSpeedupVerify /TR '
- ':\Program Files (x86)\Avira\System Speedup\setup\avira_speedup_setup.exe'
- '/VERIFY /VERYSILENT /NOSTART /NODOTNET /NORESTART" /RL HIGHEST'
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Schtasks From Suspicious Folders
Detects scheduled task creations that have suspicious action command and folder combinations
view Sigma YAML
title: Schtasks From Suspicious Folders
id: 8a8379b8-780b-4dbf-b1e9-31c8d112fefb
status: test
description: Detects scheduled task creations that have suspicious action command and folder combinations
references:
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical
author: Florian Roth (Nextron Systems)
date: 2022-04-15
modified: 2022-11-18
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1053.005
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_create:
CommandLine|contains: ' /create '
selection_command:
CommandLine|contains:
- 'powershell'
- 'pwsh'
- 'cmd /c '
- 'cmd /k '
- 'cmd /r '
- 'cmd.exe /c '
- 'cmd.exe /k '
- 'cmd.exe /r '
selection_all_folders:
CommandLine|contains:
- 'C:\ProgramData\'
- '%ProgramData%'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
ScreenConnect - SlashAndGrab Exploitation Indicators
Detects indicators of exploitation by threat actors during exploitation of the "SlashAndGrab" vulnerability related to ScreenConnect as reported Team Huntress
view Sigma YAML
title: ScreenConnect - SlashAndGrab Exploitation Indicators
id: 05164d17-8e11-4d7d-973e-9e4962436b87
status: test
description: |
Detects indicators of exploitation by threat actors during exploitation of the "SlashAndGrab" vulnerability related to ScreenConnect as reported Team Huntress
references:
- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-02-23
tags:
- detection.emerging-threats
- attack.stealth
logsource:
product: windows
category: file_event
detection:
selection:
- TargetFilename|contains|all:
- 'C:\Windows\Temp\ScreenConnect\'
- '\LB3.exe'
- TargetFilename|contains:
- 'C:\mpyutd.msi'
- 'C:\perflogs\RunSchedulerTaskOnce.ps1'
- 'C:\ProgramData\1.msi'
- 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\mpyutd.msi'
- 'C:\ProgramData\update.dat'
- 'C:\Users\oldadmin\Documents\MilsoftConnect\Files\ta.exe'
- 'C:\Windows\Help\Help\SentinelAgentCore.dll'
- 'C:\Windows\Help\Help\SentinelUI.exe'
- 'C:\Windows\spsrv.exe'
- 'C:\Windows\Temp\svchost.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Script Event Consumer Spawning Process
Detects a suspicious child process of Script Event Consumer (scrcons.exe).
view Sigma YAML
title: Script Event Consumer Spawning Process
id: f6d1dd2f-b8ce-40ca-bc23-062efb686b34
status: test
description: Detects a suspicious child process of Script Event Consumer (scrcons.exe).
references:
- https://redcanary.com/blog/child-processes/
- https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html
author: Sittikorn S
date: 2021-06-21
modified: 2022-07-14
tags:
- attack.execution
- attack.t1047
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\scrcons.exe'
Image|endswith:
- '\svchost.exe'
- '\dllhost.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\schtasks.exe'
- '\regsvr32.exe'
- '\mshta.exe'
- '\rundll32.exe'
- '\msiexec.exe'
- '\msbuild.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Script Interpreter Execution From Suspicious Folder
Detects suspicious script execution from suspicious directories or folders accessible by environment variables that may indicate malware activity.
Script interpreters (cscript, wscript, mshta, powershell) executing from folders like Temp, Public, or user profile directories may suggest attempts to evade detection or execute malicious scripts.
view Sigma YAML
title: Script Interpreter Execution From Suspicious Folder
id: 1228c958-e64e-4e71-92ad-7d429f4138ba
status: test
description: |
Detects suspicious script execution from suspicious directories or folders accessible by environment variables that may indicate malware activity.
Script interpreters (cscript, wscript, mshta, powershell) executing from folders like Temp, Public, or user profile directories may suggest attempts to evade detection or execute malicious scripts.
references:
- https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military
- https://learn.microsoft.com/en-us/windows/win32/shell/csidl
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-02-08
modified: 2026-02-17
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_proc_image:
Image|endswith:
- '\cscript.exe'
- '\mshta.exe'
- '\wscript.exe'
selection_proc_flags:
CommandLine|contains:
- ' -ep bypass '
- ' -ExecutionPolicy bypass '
- ' -w hidden '
- '/e:javascript '
- '/e:Jscript '
- '/e:vbscript '
selection_proc_original:
OriginalFileName:
- 'cscript.exe'
- 'mshta.exe'
- 'wscript.exe'
selection_folders_1:
CommandLine|contains:
- ':\Perflogs\'
- ':\Users\Public\'
- '\%Public%'
- '\AppData\Local\Temp'
- '\AppData\Roaming\Temp'
- '\Temporary Internet'
- '\Windows\Temp'
- '\Start Menu\Programs\Startup\'
- '%TEMP%'
- '%TMP%'
- '%LocalAppData%\Temp'
selection_folders_2:
- CommandLine|contains|all:
- ':\Users\'
- '\Favorites\'
- CommandLine|contains|all:
- ':\Users\'
- '\Favourites\'
- CommandLine|contains|all:
- ':\Users\'
- '\Contacts\'
- CommandLine|contains|all:
- ':\Users\'
- '\Documents\'
- CommandLine|contains|all:
- ':\Users\'
- '\Music\'
- CommandLine|contains|all:
- ':\Users\'
- '\Pictures\'
- CommandLine|contains|all:
- ':\Users\'
- '\Videos\'
filter_optional_chocolatey_installer:
ParentImage:
- 'C:\Windows\System32\Msiexec.exe'
- 'C:\Windows\SysWOW64\Msiexec.exe'
Image|endswith: '\powershell.exe'
CommandLine|contains|all:
- '-NoProfile -ExecutionPolicy Bypass -Command'
- 'AppData\Local\Temp\'
- 'Install-Chocolatey.ps1'
condition: 1 of selection_proc_* and 1 of selection_folders_* and not 1 of filter_optional_*
falsepositives:
- Various legitimate software have been observed to use similar techniques for installation or update purposes;thus, it is recommended to review and tune filters for your environment to reduce false positives before deploying to production.
level: high
Convert to SIEM query
high
Moderate
High FP
Script Interpreter Spawning Credential Scanner - Linux
Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks).
This behavior is indicative of an attempt to find and steal secrets, as seen in the "Shai-Hulud: The Second Coming" campaign.
view Sigma YAML
title: Script Interpreter Spawning Credential Scanner - Linux
id: f0025a69-e1b7-4dda-a53c-db21fa2d4071
related:
- id: 0f60b28c-64dd-4e2c-9a63-5334d3e3a6e6
type: similar
status: experimental
description: |
Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks).
This behavior is indicative of an attempt to find and steal secrets, as seen in the "Shai-Hulud: The Second Coming" campaign.
references:
- https://github.com/asyncapi/cli/blob/2efa4dff59bc3d3cecdf897ccf178f99b115d63d/bun_environment.js
- https://www.stepsecurity.io/blog/sha1-hulud-the-second-coming-zapier-ens-domains-and-other-prominent-npm-packages-compromised
- https://www.endorlabs.com/learn/shai-hulud-2-malware-campaign-targets-github-and-cloud-credentials-using-bun-runtime
- https://semgrep.dev/blog/2025/digging-for-secrets-sha1-hulud-the-second-coming-of-the-npm-worm/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-25
tags:
- attack.credential-access
- attack.t1552
- attack.execution
- attack.collection
- attack.t1005
- attack.t1059.004
logsource:
category: process_creation
product: linux
detection:
selection_parent:
ParentImage|endswith:
# Add more script interpreters as needed
- '/node'
- '/bun'
selection_child:
- Image|endswith:
- '/trufflehog'
- '/gitleaks'
- CommandLine|contains:
- 'trufflehog'
- 'gitleaks'
condition: all of selection_*
falsepositives:
- Legitimate pre-commit hooks or CI/CD pipeline jobs that use a script to run a credential scanner as part of a security check.
level: high
Convert to SIEM query
high
Moderate
High FP
Script Interpreter Spawning Credential Scanner - Windows
Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks).
This behavior is indicative of an attempt to find and steal secrets, as seen in the "Shai-Hulud: The Second Coming" campaign.
view Sigma YAML
title: Script Interpreter Spawning Credential Scanner - Windows
id: 0f60b28c-64dd-4e2c-9a63-5334d3e3a6e6
related:
- id: f0025a69-e1b7-4dda-a53c-db21fa2d4071
type: similar
status: experimental
description: |
Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks).
This behavior is indicative of an attempt to find and steal secrets, as seen in the "Shai-Hulud: The Second Coming" campaign.
references:
- https://github.com/asyncapi/cli/blob/2efa4dff59bc3d3cecdf897ccf178f99b115d63d/bun_environment.js
- https://www.stepsecurity.io/blog/sha1-hulud-the-second-coming-zapier-ens-domains-and-other-prominent-npm-packages-compromised
- https://www.endorlabs.com/learn/shai-hulud-2-malware-campaign-targets-github-and-cloud-credentials-using-bun-runtime
- https://semgrep.dev/blog/2025/digging-for-secrets-sha1-hulud-the-second-coming-of-the-npm-worm/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-25
tags:
- attack.credential-access
- attack.t1552
- attack.collection
- attack.execution
- attack.t1005
- attack.t1059.007
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith:
# Add more script interpreters as needed
- '\node.exe'
- '\bun.exe'
selection_child:
- Image|endswith:
- 'trufflehog.exe'
- 'gitleaks.exe'
- CommandLine|contains:
- 'trufflehog'
- 'gitleaks'
condition: all of selection_*
falsepositives:
- Legitimate pre-commit hooks or CI/CD pipeline jobs that use a script to run a credential scanner as part of a security check.
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_susp_script_interpretor_spawn_credential_scanner/info.yml
Convert to SIEM query
high
Strong
Medium FP
Sdiagnhost Calling Suspicious Child Process
Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)
view Sigma YAML
title: Sdiagnhost Calling Suspicious Child Process
id: f3d39c45-de1a-4486-a687-ab126124f744
status: test
description: Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)
references:
- https://twitter.com/nao_sec/status/1530196847679401984
- https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e
- https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/
- https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/
- https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/
author: Nextron Systems, @Kostastsale
date: 2022-06-01
modified: 2024-08-23
tags:
- attack.stealth
- attack.t1036
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\sdiagnhost.exe'
Image|endswith:
# Add more suspicious LOLBins
- '\powershell.exe'
- '\pwsh.exe'
- '\cmd.exe'
- '\mshta.exe'
- '\cscript.exe'
- '\wscript.exe'
- '\taskkill.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
# - '\csc.exe' # https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/
- '\calc.exe' # https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/
filter_main_cmd_bits:
Image|endswith: '\cmd.exe'
CommandLine|contains: 'bits'
filter_main_powershell_noprofile:
Image|endswith: '\powershell.exe'
CommandLine|endswith:
- '-noprofile -'
- '-noprofile'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Security Event Logging Disabled via MiniNt Registry Key - Process
Detects attempts to disable security event logging by adding the `MiniNt` registry key.
This key is used to disable the Windows Event Log service, which collects and stores event logs from the operating system and applications.
Adversaries may want to disable this service to prevent logging of security events that could be used to detect their activities.
view Sigma YAML
title: Security Event Logging Disabled via MiniNt Registry Key - Process
id: 1a4bd6af-99ac-4466-b5b2-7b72b4a05462
related:
- id: 8839e550-52d7-4958-9f2f-e13c1e736838 # Disable Security Events Logging Adding Reg Key MiniNt - Registry Set
type: similar
status: experimental
description: |
Detects attempts to disable security event logging by adding the `MiniNt` registry key.
This key is used to disable the Windows Event Log service, which collects and stores event logs from the operating system and applications.
Adversaries may want to disable this service to prevent logging of security events that could be used to detect their activities.
references:
- https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-04-09
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1685.001
- attack.t1112
- car.2022-03-001
logsource:
category: process_creation
product: windows
detection:
selection_reg_img:
# Example: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNt"
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_reg_cmd:
CommandLine|contains|all:
- ' add '
- '\SYSTEM\CurrentControlSet\Control\MiniNt'
selection_powershell_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\powershell_ise.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_powershell_cmd1:
CommandLine|contains:
- 'New-Item '
- 'ni '
selection_powershell_cmd2:
CommandLine|contains: '\SYSTEM\CurrentControlSet\Control\MiniNt'
condition: all of selection_reg_* or all of selection_powershell_*
falsepositives:
- Highly Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Security Event Logging Disabled via MiniNt Registry Key - Registry Set
Detects the addition of the 'MiniNt' key to the registry. Upon a reboot, Windows Event Log service will stop writing events.
Windows Event Log is a service that collects and stores event logs from the operating system and applications. It is an important component of Windows security and auditing.
Adversary may want to disable this service to disable logging of security events which could be used to detect their activities.
view Sigma YAML
title: Security Event Logging Disabled via MiniNt Registry Key - Registry Set
id: 8839e550-52d7-4958-9f2f-e13c1e736838
related:
- id: 1a4bd6af-99ac-4466-b5b2-7b72b4a05462 # Security Event Logging Disabled Via MiniNt Registry Key
type: similar
status: experimental
description: |
Detects the addition of the 'MiniNt' key to the registry. Upon a reboot, Windows Event Log service will stop writing events.
Windows Event Log is a service that collects and stores event logs from the operating system and applications. It is an important component of Windows security and auditing.
Adversary may want to disable this service to disable logging of security events which could be used to detect their activities.
references:
- https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-04-09
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1685.001
- attack.t1112
- car.2022-03-001
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject: 'HKLM\System\CurrentControlSet\Control\MiniNt\(Default)'
condition: selection
falsepositives:
- Highly Unlikely
level: high
Convert to SIEM query
high
Strong
Low FP
Security Eventlog Cleared
One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
view Sigma YAML
title: Security Eventlog Cleared
id: d99b79d2-0a6f-4f46-ad8b-260b6e17f982
related:
- id: f2f01843-e7b8-4f95-a35a-d23584476423
type: obsolete
- id: a122ac13-daf8-4175-83a2-72c387be339d
type: obsolete
status: test
description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
references:
- https://twitter.com/deviouspolack/status/832535435960209408
- https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100
- https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml
author: Florian Roth (Nextron Systems)
date: 2017-01-10
modified: 2022-02-24
tags:
- attack.defense-impairment
- attack.t1685.005
- car.2016-04-002
logsource:
product: windows
service: security
detection:
selection_517:
EventID: 517
Provider_Name: Security
selection_1102:
EventID: 1102
Provider_Name: Microsoft-Windows-Eventlog
condition: 1 of selection_*
falsepositives:
- Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog)
- System provisioning (system reset before the golden image creation)
level: high
Convert to SIEM query
high
Moderate
High FP
Security Privileges Enumeration Via Whoami.EXE
Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.
view Sigma YAML
title: Security Privileges Enumeration Via Whoami.EXE
id: 97a80ec7-0e2f-4d05-9ef4-65760e634f6b
status: test
description: Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/whoami
author: Florian Roth (Nextron Systems)
date: 2021-05-05
modified: 2023-02-28
tags:
- attack.privilege-escalation
- attack.discovery
- attack.t1033
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\whoami.exe'
- OriginalFileName: 'whoami.exe'
selection_cli:
CommandLine|contains:
- ' /priv'
- ' -priv'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Security Service Disabled Via Reg.EXE
Detects execution of "reg.exe" to disable security services such as Windows Defender.
view Sigma YAML
title: Security Service Disabled Via Reg.EXE
id: 5e95028c-5229-4214-afae-d653d573d0ec
status: test
description: Detects execution of "reg.exe" to disable security services such as Windows Defender.
references:
- https://twitter.com/JohnLaTwC/status/1415295021041979392
- https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1
- https://vms.drweb.fr/virus/?i=24144899
- https://bidouillesecurity.com/disable-windows-defender-in-powershell/
author: Florian Roth (Nextron Systems), John Lambert (idea), elhoim
date: 2021-07-14
modified: 2023-06-05
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_reg_add:
CommandLine|contains|all:
- 'reg'
- 'add'
selection_cli_reg_start:
CommandLine|contains|all:
- 'd 4'
- 'v Start'
CommandLine|contains:
- '\AppIDSvc'
- '\MsMpSvc'
- '\NisSrv'
- '\SecurityHealthService'
- '\Sense'
- '\UsoSvc'
- '\WdBoot'
- '\WdFilter'
- '\WdNisDrv'
- '\WdNisSvc'
- '\WinDefend'
- '\wscsvc'
- '\wuauserv'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Security Support Provider (SSP) Added to LSA Configuration
Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.
view Sigma YAML
title: Security Support Provider (SSP) Added to LSA Configuration
id: eeb30123-9fbd-4ee8-aaa0-2e545bbed6dc
status: test
description: |
Detects the addition of a SSP to the registry. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows.
references:
- https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/
- https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Install-SSP.ps1#L157
author: iwillkeepwatch
date: 2019-01-18
modified: 2026-03-30
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.005
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|endswith:
- '\Control\Lsa\Security Packages'
- '\Control\Lsa\OSConfig\Security Packages'
filter_main_msiexec:
Image:
- 'C:\Windows\system32\msiexec.exe'
- 'C:\Windows\syswow64\MsiExec.exe'
filter_main_image_null:
Image: null
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location
Detects the use of iexpress.exe to create binaries via Self Extraction Directive (SED) files located in potentially suspicious locations.
This behavior has been observed in-the-wild by different threat actors.
view Sigma YAML
title: Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location
id: b2b048b0-7857-4380-b0fb-d3f0ab820b71
status: test
description: |
Detects the use of iexpress.exe to create binaries via Self Extraction Directive (SED) files located in potentially suspicious locations.
This behavior has been observed in-the-wild by different threat actors.
references:
- https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html
- https://en.wikipedia.org/wiki/IExpress
- https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/
- https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior
author: Joseliyo Sanchez, @Joseliyo_Jstnk, Nasreddine Bencherchali (Nextron Systems)
date: 2024-02-05
modified: 2024-06-04
tags:
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
# VT Query: behavior_processes:"iexpress.exe" and behavior_processes:"/n /q /m" and behavior_processes:"*.sed*" and p:5+
selection_img:
- Image|endswith: '\iexpress.exe'
- OriginalFileName: 'IEXPRESS.exe'
selection_cli:
CommandLine|contains|windash: ' /n '
selection_paths:
CommandLine|contains:
# Note: Add more uncommon paths that fit your organizational needs.
- ':\ProgramData\'
- ':\Temp\'
- ':\Windows\System32\Tasks\'
- ':\Windows\Tasks\'
- ':\Windows\Temp\'
- '\AppData\Local\Temp\'
condition: all of selection_*
falsepositives:
- Administrators building packages using iexpress.exe
level: high
Convert to SIEM query
high
Moderate
High FP
Sensitive File Access Via Volume Shadow Copy Backup
Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit)
view Sigma YAML
title: Sensitive File Access Via Volume Shadow Copy Backup
id: f57f8d16-1f39-4dcb-a604-6c73d9b54b3d
status: test
description: |
Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit)
references:
- https://twitter.com/vxunderground/status/1423336151860002816?s=20
- https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection
- https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/
author: Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems)
date: 2021-08-09
modified: 2024-01-18
tags:
- attack.impact
- attack.t1490
logsource:
category: process_creation
product: windows
detection:
selection_1:
# copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp\ntds.dit 2>&1
# There is an additional "\" to escape the special "?"
CommandLine|contains: '\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy'
selection_2:
CommandLine|contains:
- '\\NTDS.dit'
- '\\SYSTEM'
- '\\SECURITY'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
High FP
Sensitive File Dump Via Print.EXE
Detects the abuse of the Print.exe utility for credential harvesting which involves using Print.Exe to copy sensitive files such as ntds.dit, SAM, SECURITY, or SYSTEM from the Windows directory in order to extract credentials, locally or remotely.
view Sigma YAML
title: Sensitive File Dump Via Print.EXE
id: 2fcda7e2-8c57-4904-86ac-37fc3157e09d
status: test
description: |
Detects the abuse of the Print.exe utility for credential harvesting which involves using Print.Exe to copy sensitive files such as ntds.dit, SAM, SECURITY, or SYSTEM from the Windows directory in order to extract credentials, locally or remotely.
references:
- https://www.microsoft.com/en-us/security/blog/2026/02/06/active-exploitation-solarwinds-web-help-desk/
- https://www.huntress.com/blog/credential-theft-expanding-your-reach-pt-2
- https://lolbas-project.github.io/lolbas/Binaries/Print/
author: Ayush Anand (Securityinbits)
date: 2026-04-28
tags:
- attack.credential-access
- attack.stealth
- attack.t1003.003
- attack.t1003.002
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\print.exe'
- OriginalFileName: 'Print.EXE'
selection_cli:
CommandLine|contains|windash: '/D'
CommandLine|contains:
- '\config\SAM'
- '\config\SECURITY'
- '\config\SYSTEM'
- '\windows\ntds\ntds.dit'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_print_dump_sensitive_files/info.yml
Convert to SIEM query
high
Strong
Medium FP
Sensitive File Dump Via Wbadmin.EXE
Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive.
Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.
view Sigma YAML
title: Sensitive File Dump Via Wbadmin.EXE
id: 8b93a509-1cb8-42e1-97aa-ee24224cdc15
status: test
description: |
Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive.
Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml
- https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2024-05-10
tags:
- attack.credential-access
- attack.t1003.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\wbadmin.exe'
- OriginalFileName: 'WBADMIN.EXE'
selection_backup:
CommandLine|contains:
- 'start'
- 'backup'
selection_path:
CommandLine|contains:
- '\config\SAM'
- '\config\SECURITY'
- '\config\SYSTEM'
- '\Windows\NTDS\NTDS.dit'
condition: all of selection_*
falsepositives:
- Legitimate backup operation by authorized administrators. Matches must be investigated and allowed on a case by case basis.
level: high
Convert to SIEM query
high
Moderate
High FP
Sensitive File Recovery From Backup Via Wbadmin.EXE
Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive.
Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.
view Sigma YAML
title: Sensitive File Recovery From Backup Via Wbadmin.EXE
id: 84972c80-251c-4c3a-9079-4f00aad93938
related:
- id: 6fe4aa1e-0531-4510-8be2-782154b73b48
type: derived
status: test
description: |
Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive.
Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/2cc01b01132b5c304027a658c698ae09dd6a92bf/yml/OSBinaries/Wbadmin.yml
- https://lolbas-project.github.io/lolbas/Binaries/Wbadmin/
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-recovery
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-start-backup
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2024-05-10
tags:
- attack.credential-access
- attack.t1003.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\wbadmin.exe'
- OriginalFileName: 'WBADMIN.EXE'
selection_backup:
CommandLine|contains|all:
- ' recovery'
- 'recoveryTarget'
- 'itemtype:File'
CommandLine|contains:
- '\config\SAM'
- '\config\SECURITY'
- '\config\SYSTEM'
- '\Windows\NTDS\NTDS.dit'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Serpent Backdoor Payload Execution Via Scheduled Task
Detects post exploitation execution technique of the Serpent backdoor.
According to Proofpoint, one of the commands that the backdoor ran was via creating a temporary scheduled task using an unusual method.
It creates a fictitious windows event and a trigger in which once the event is created, it executes the payload.
view Sigma YAML
title: Serpent Backdoor Payload Execution Via Scheduled Task
id: d5eb7432-fda4-4bba-a37f-ffa74d9ed639
status: test
description: |
Detects post exploitation execution technique of the Serpent backdoor.
According to Proofpoint, one of the commands that the backdoor ran was via creating a temporary scheduled task using an unusual method.
It creates a fictitious windows event and a trigger in which once the event is created, it executes the payload.
references:
- https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain
author: '@kostastsale'
date: 2022-03-21
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
- attack.t1059.006
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains|all:
- '[System/EventID='
- '/create'
- '/delete'
- '/ec'
- '/so'
- '/tn run'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Low FP
Server Side Template Injection Strings
Detects SSTI attempts sent via GET requests in access logs
view Sigma YAML
title: Server Side Template Injection Strings
id: ada3bc4f-f0fd-42b9-ba91-e105e8af7342
status: test
description: Detects SSTI attempts sent via GET requests in access logs
references:
- https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection
- https://github.com/payloadbox/ssti-payloads
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-14
tags:
- attack.stealth
- attack.t1221
logsource:
category: webserver
detection:
select_method:
cs-method: 'GET'
keywords:
- '={{'
- '=%7B%7B'
- '=${'
- '=$%7B'
- '=<%='
- '=%3C%25='
- '=@('
- 'freemarker.template.utility.Execute'
- .getClass().forName('javax.script.ScriptEngineManager')
- 'T(org.apache.commons.io.IOUtils)'
filter:
sc-status: 404
condition: select_method and keywords and not filter
falsepositives:
- User searches in search boxes of the respective website
- Internal vulnerability scanners can cause some serious FPs when used, if you experience a lot of FPs due to this think of adding more filters such as "User Agent" strings and more response codes
level: high
Convert to SIEM query
high
Strong
Medium FP
Service Binary in Suspicious Folder
Detect the creation of a service with a service binary located in a suspicious directory
view Sigma YAML
title: Service Binary in Suspicious Folder
id: a07f0359-4c90-4dc4-a681-8ffea40b4f47
related:
- id: c0abc838-36b0-47c9-b3b3-a90c39455382
type: obsolete
status: test
description: Detect the creation of a service with a service binary located in a suspicious directory
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
author: Florian Roth (Nextron Systems), frack113
date: 2022-05-02
modified: 2025-10-07
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection_service_start:
TargetObject|startswith: 'HKLM\System\CurrentControlSet\Services\'
TargetObject|endswith: '\Start'
Image|contains:
- '\Users\Public\'
- '\Perflogs\'
- '\ADMIN$\'
- '\Temp\'
Details:
- 'DWORD (0x00000000)' # boot
- 'DWORD (0x00000001)' # System
- 'DWORD (0x00000002)' # Automatic
# 3 - Manual , 4 - Disabled
selection_service_imagepath:
TargetObject|startswith: 'HKLM\System\CurrentControlSet\Services\'
TargetObject|endswith: '\ImagePath'
Details|contains:
- '\Users\Public\'
- '\Perflogs\'
- '\ADMIN$\'
- '\Temp\'
filter_optional_avast:
Image|contains|all: # Filter FP with Avast software
- '\Common Files\'
- '\Temp\'
filter_optional_mbamservice:
TargetObject|endswith: '\CurrentControlSet\Services\MBAMInstallerService\ImagePath'
Details|endswith: '\AppData\Local\Temp\MBAMInstallerService.exe"'
Image: 'C:\Windows\system32\services.exe'
condition: 1 of selection_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Service DACL Abuse To Hide Services Via Sc.EXE
Detects usage of the "sc.exe" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.
view Sigma YAML
title: Service DACL Abuse To Hide Services Via Sc.EXE
id: a537cfc3-4297-4789-92b5-345bfd845ad0
related:
- id: 99cf1e02-00fb-4c0d-8375-563f978dfd37 # Deny Service Access
type: similar
- id: 98c5aeef-32d5-492f-b174-64a691896d25 # Generic SD tampering
type: similar
status: test
description: Detects usage of the "sc.exe" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.
references:
- https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html
- https://www.sans.org/blog/red-team-tactics-hiding-windows-services/
- https://twitter.com/Alh4zr3d/status/1580925761996828672
- https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/
author: Andreas Hunkeler (@Karneades)
date: 2021-12-20
modified: 2022-08-08
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.011
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\sc.exe'
- OriginalFileName: 'sc.exe'
selection_cli:
CommandLine|contains|all:
- 'sdset'
# Summary of permissions
# DC: Delete All Child Objects
# LC: List Contents
# WP: Write All Properties
# DT: Delete Subtree
# SD: Delete
- 'DCLCWPDTSD'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Service Installation with Suspicious Folder Pattern
Detects service installation with suspicious folder patterns
view Sigma YAML
title: Service Installation with Suspicious Folder Pattern
id: 1b2ae822-6fe1-43ba-aa7c-d1a3b3d1d5f2
status: test
description: Detects service installation with suspicious folder patterns
references:
- Internal Research
author: pH-T (Nextron Systems)
date: 2022-03-18
modified: 2022-03-24
tags:
- attack.persistence
- attack.privilege-escalation
- car.2013-09-005
- attack.t1543.003
logsource:
product: windows
service: system
detection:
selection_eid:
Provider_Name: 'Service Control Manager'
EventID: 7045
selection_img_paths:
- ImagePath|re: '^[Cc]:\\[Pp]rogram[Dd]ata\\.{1,9}\.exe'
- ImagePath|re: '^[Cc]:\\.{1,9}\.exe'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Service Installed By Unusual Client - Security
Detects a service installed by a client which has PID 0 or whose parent has PID 0
view Sigma YAML
title: Service Installed By Unusual Client - Security
id: c4e92a97-a9ff-4392-9d2d-7a4c642768ca
related:
- id: 71c276aa-49cd-43d2-b920-2dcd3e6962d5
type: similar
status: test
description: Detects a service installed by a client which has PID 0 or whose parent has PID 0
references:
- https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html
- https://www.x86matthew.com/view_post?id=create_svc_rpc
- https://twitter.com/SBousseaden/status/1490608838701166596
author: Tim Rauch (Nextron Systems), Elastic (idea)
date: 2022-09-15
modified: 2023-01-04
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543
logsource:
service: security
product: windows
definition: 'Requirements: The System Security Extension audit subcategory need to be enabled to log the EID 4697'
detection:
selection_eid:
EventID: 4697
selection_pid:
- ClientProcessId: 0
- ParentProcessId: 0
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Low FP
Service Installed By Unusual Client - System
Detects a service installed by a client which has PID 0 or whose parent has PID 0
view Sigma YAML
title: Service Installed By Unusual Client - System
id: 71c276aa-49cd-43d2-b920-2dcd3e6962d5
related:
- id: c4e92a97-a9ff-4392-9d2d-7a4c642768ca
type: similar
status: test
description: Detects a service installed by a client which has PID 0 or whose parent has PID 0
references:
- https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html
author: Tim Rauch (Nextron Systems), Elastic (idea)
date: 2022-09-15
modified: 2023-01-04
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
ProcessId: 0
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Service Registry Key Deleted Via Reg.EXE
Detects execution of "reg.exe" commands with the "delete" flag on services registry key. Often used by attacker to remove AV software services
view Sigma YAML
title: Service Registry Key Deleted Via Reg.EXE
id: 05b2aa93-1210-42c8-8d9a-2fcc13b284f5
status: test
description: Detects execution of "reg.exe" commands with the "delete" flag on services registry key. Often used by attacker to remove AV software services
references:
- https://www.virustotal.com/gui/file/2bcd5702a7565952c44075ac6fb946c7780526640d1264f692c7664c02c68465
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-01
modified: 2023-02-04
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: 'reg.exe'
- OriginalFileName: 'reg.exe'
selection_delete:
CommandLine|contains: ' delete '
selection_key:
# Add specific services if you would like the rule to be more specific
CommandLine|contains: '\SYSTEM\CurrentControlSet\services\'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Set Suspicious Files as System Files Using Attrib.EXE
Detects the usage of attrib with the "+s" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs
view Sigma YAML
title: Set Suspicious Files as System Files Using Attrib.EXE
id: efec536f-72e8-4656-8960-5e85d091345b
related:
- id: bb19e94c-59ae-4c15-8c12-c563d23fe52b
type: derived
status: test
description: |
Detects the usage of attrib with the "+s" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs
references:
- https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4
- https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0
- https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-28
modified: 2023-03-14
tags:
- attack.stealth
- attack.t1564.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\attrib.exe'
- OriginalFileName: 'ATTRIB.EXE'
selection_cli:
CommandLine|contains: ' +s'
selection_paths:
CommandLine|contains:
- ' %' # Custom Environment variable
- '\Users\Public\'
- '\AppData\Local\'
- '\ProgramData\'
- '\Downloads\'
- '\Windows\Temp\'
selection_ext:
CommandLine|contains:
- '.bat'
- '.dll'
- '.exe'
- '.hta'
- '.ps1'
- '.vbe'
- '.vbs'
filter_optional_installer:
CommandLine|contains|all:
- '\Windows\TEMP\'
- '.exe'
condition: all of selection* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Shadow Copies Deletion Using Operating Systems Utilities
Shadow Copies deletion using operating systems utilities
view Sigma YAML
title: Shadow Copies Deletion Using Operating Systems Utilities
id: c947b146-0abc-4c87-9c64-b17e9d7274a2
status: stable
description: Shadow Copies deletion using operating systems utilities
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
- https://blog.talosintelligence.com/2017/05/wannacry.html
- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/
- https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/
- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
- https://github.com/Neo23x0/Raccine#the-process
- https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar
- https://redcanary.com/blog/intelligence-insights-october-2021/
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware
author: Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades)
date: 2019-10-22
modified: 2022-11-03
tags:
- attack.impact
- attack.stealth
- attack.t1070
- attack.t1490
logsource:
category: process_creation
product: windows
detection:
selection1_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\wmic.exe'
- '\vssadmin.exe'
- '\diskshadow.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
- 'wmic.exe'
- 'VSSADMIN.EXE'
- 'diskshadow.exe'
selection1_cli:
CommandLine|contains|all:
- 'shadow' # will match "delete shadows" and "shadowcopy delete" and "shadowstorage"
- 'delete'
selection2_img:
- Image|endswith: '\wbadmin.exe'
- OriginalFileName: 'WBADMIN.EXE'
selection2_cli:
CommandLine|contains|all:
- 'delete'
- 'catalog'
- 'quiet' # will match -quiet or /quiet
selection3_img:
- Image|endswith: '\vssadmin.exe'
- OriginalFileName: 'VSSADMIN.EXE'
selection3_cli:
CommandLine|contains|all:
- 'resize'
- 'shadowstorage'
CommandLine|contains:
- 'unbounded'
- '/MaxSize='
condition: (all of selection1*) or (all of selection2*) or (all of selection3*)
falsepositives:
- Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason
- LANDesk LDClient Ivanti-PSModule (PS EncodedCommand)
level: high
Convert to SIEM query
high
Moderate
Medium FP
Shai-Hulud 2.0 Malicious NPM Package Installation
Detects the command-line installation of specific malicious npm packages and versions associated with the Shai-Hulud 2.0 supply chain attack.
view Sigma YAML
title: Shai-Hulud 2.0 Malicious NPM Package Installation
id: bae7c70b-8569-44e9-accf-b30073da8a5d
related:
- id: 514f533b-f56e-421d-80b0-f7706a3e9d23
type: similar
status: experimental
description: |
Detects the command-line installation of specific malicious npm packages and versions associated with the Shai-Hulud 2.0 supply chain attack.
references:
- https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack
- https://github.com/wiz-sec-public/wiz-research-iocs/blob/a836ce8aacf12d6d2f6afc3c44b391dc4c08f46e/reports/shai-hulud-2-packages.csv
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-28
tags:
- attack.initial-access
- attack.execution
- attack.t1195.002
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith: '\node.exe'
CommandLine|contains:
- 'install'
- ' i '
# List of known malicious packages and versions from the Shai-Hulud 2.0 campaign
selection_packages:
CommandLine|contains:
- '[email protected]'
- '@accordproject/[email protected]'
- '@accordproject/[email protected]'
- '@accordproject/[email protected]'
- '@accordproject/[email protected]'
- '@accordproject/[email protected]'
- '@accordproject/[email protected]'
- '@accordproject/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@afetcan/[email protected]'
- '@afetcan/[email protected]'
- '@alaan/[email protected]'
- '@alexadark/[email protected]'
- '@alexadark/[email protected]'
- '@alexadark/[email protected]'
- '@alexadark/[email protected]'
- '@alexcolls/[email protected]'
- '@alexcolls/[email protected]'
- '@alexcolls/[email protected]'
- '@alexcolls/[email protected]'
- '@antstackio/[email protected]'
- '@antstackio/[email protected]'
- '@antstackio/[email protected]'
- '@antstackio/[email protected]'
- '@antstackio/[email protected]'
- '@aryanhussain/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@bdkinc/[email protected]'
- '@browserbasehq/[email protected]'
- '@browserbasehq/[email protected]'
- '@browserbasehq/[email protected]'
- '@browserbasehq/[email protected]'
- '@browserbasehq/[email protected]'
- '@browserbasehq/[email protected]'
- '@browserbasehq/[email protected]'
- '@caretive/[email protected]'
- '@chtijs/[email protected]'
- '@clausehq/[email protected]'
- '@clausehq/[email protected]'
- '@clausehq/[email protected]'
- '@clausehq/[email protected]'
- '@clausehq/[email protected]'
- '@cllbk/[email protected]'
- '@commute/[email protected]'
- '@commute/[email protected]'
- '@commute/[email protected]'
- '@dev-blinq/[email protected]'
- '@dev-blinq/[email protected]'
- '@dev-blinq/[email protected]'
- '@dev-blinq/[email protected]'
- '@dev-blinq/[email protected]'
- '@elsedev/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@everreal/[email protected]'
- '@everreal/[email protected]'
- '@everreal/[email protected]'
- '@everreal/[email protected]'
- '@everreal/[email protected]'
- '@everreal/[email protected]'
- '@faq-component/[email protected]'
- '@faq-component/[email protected]'
- '@fishingbooker/[email protected]'
- '@fishingbooker/[email protected]'
- '@fishingbooker/[email protected]'
- '@fishingbooker/[email protected]'
- '@fishingbooker/[email protected]'
- '@hapheus/[email protected]'
- '@hover-design/[email protected]'
- '@hover-design/[email protected]'
- '@huntersofbook/[email protected]'
- '@huntersofbook/[email protected]'
- '@huntersofbook/[email protected]'
- '@huntersofbook/[email protected]'
- '@huntersofbook/[email protected]'
- '@huntersofbook/[email protected]'
- '@hyperlook/[email protected]'
- '@ifelsedeveloper/[email protected]'
- '@ifelsedeveloper/[email protected]'
- '@ifings/[email protected]'
- '@ifings/[email protected]'
- '@jayeshsadhwani/[email protected]'
- '@kvytech/[email protected]'
- '@kvytech/[email protected]'
- '@kvytech/[email protected]'
- '@kvytech/[email protected]'
- '@kvytech/[email protected]'
- '@kvytech/[email protected]'
- '@kvytech/[email protected]'
- '@kvytech/[email protected]'
- '@kvytech/[email protected]'
- '@lessondesk/[email protected]'
- '@lessondesk/[email protected]'
- '@lessondesk/[email protected]'
- '@lessondesk/[email protected]'
- '@lessondesk/[email protected]'
- '@lessondesk/[email protected]'
- '@lessondesk/[email protected]'
- '@lessondesk/[email protected]'
- '@lessondesk/[email protected]'
- '@livecms/[email protected]'
- '@livecms/[email protected]'
- '@lokeswari-satyanarayanan/[email protected]'
- '@louisle2/[email protected]'
- '@louisle2/[email protected]'
- '@lpdjs/[email protected]'
- '@lui-ui/[email protected]'
- '@lui-ui/[email protected]'
- '@lui-ui/[email protected]'
- '@markvivanco/[email protected]'
- '@markvivanco/[email protected]'
- '@mcp-use/[email protected]'
- '@mcp-use/[email protected]'
- '@mcp-use/[email protected]'
- '@mcp-use/[email protected]'
- '@mcp-use/[email protected]'
- '@mcp-use/[email protected]'
- '@micado-digital/[email protected]'
- '@mizzle-dev/[email protected]'
- '@mparpaillon/[email protected]'
- '@mparpaillon/[email protected]'
- '@mparpaillon/[email protected]'
- '@ntnx/[email protected]'
- '@ntnx/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@orbitgtbelgium/[email protected]'
- '@orbitgtbelgium/[email protected]'
- '@orbitgtbelgium/[email protected]'
- '@orbitgtbelgium/[email protected]'
- '@osmanekrem/[email protected]'
- '@osmanekrem/[email protected]'
- '@pergel/[email protected]'
- '@pergel/[email protected]'
- '@pergel/[email protected]'
- '@pergel/[email protected]'
- '@pergel/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@pradhumngautam/[email protected]'
- '@productdevbook/[email protected]'
- '@productdevbook/[email protected]'
- '@productdevbook/[email protected]'
- '@productdevbook/[email protected]'
- '@productdevbook/[email protected]'
- '@pruthvi21/[email protected]'
- '@quick-start-soft/[email protected]'
- '@quick-start-soft/[email protected]'
- '@quick-start-soft/[email protected]'
- '@quick-start-soft/[email protected]'
- '@quick-start-soft/[email protected]'
- '@quick-start-soft/[email protected]'
- '@quick-start-soft/[email protected]'
- '@quick-start-soft/[email protected]'
- '@quick-start-soft/[email protected]'
- '@relyt/[email protected]'
- '@relyt/[email protected]'
- '@relyt/[email protected]'
- '@sameepsi/[email protected]'
- '@sameepsi/[email protected]'
- '@seezo/[email protected]'
- '@seung-ju/[email protected]'
- '@seung-ju/[email protected]'
- '@seung-ju/[email protected]'
- '@seung-ju/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@sme-ui/[email protected]'
- '@strapbuild/[email protected]'
- '@strapbuild/[email protected]'
- '@strapbuild/[email protected]'
- '@strapbuild/[email protected]'
- '@suraj_h/[email protected]'
- '@thedelta/[email protected]'
- '@tiaanduplessis/[email protected]'
- '@tiaanduplessis/[email protected]'
- '@tiaanduplessis/[email protected]'
- '@tiaanduplessis/[email protected]'
- '@trackstar/[email protected]'
- '@trackstar/[email protected]'
- '@trackstar/[email protected]'
- '@trackstar/[email protected]'
- '@trackstar/[email protected]'
- '@trefox/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trpc-rate-limiter/[email protected]'
- '@trpc-rate-limiter/[email protected]'
- '@varsityvibe/[email protected]'
- '@varsityvibe/[email protected]'
- '@varsityvibe/[email protected]'
- '@varsityvibe/[email protected]'
- '@varsityvibe/[email protected]'
- '@viapip/[email protected]'
- '@vishadtyagi/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@vucod/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules-emerging-threats/2025/Malware/Shai-Hulud/proc_creation_win_mal_shai_hulud_malicious_npm_package_installation/info.yml
Convert to SIEM query
high
Moderate
Medium FP
Shai-Hulud 2.0 Malicious NPM Package Installation - Linux
Detects the command-line installation of specific malicious npm packages and versions associated with the Shai-Hulud 2.0 supply chain attack.
view Sigma YAML
title: Shai-Hulud 2.0 Malicious NPM Package Installation - Linux
id: 514f533b-f56e-421d-80b0-f7706a3e9d23
related:
- id: bae7c70b-8569-44e9-accf-b30073da8a5d
type: similar
status: experimental
description: |
Detects the command-line installation of specific malicious npm packages and versions associated with the Shai-Hulud 2.0 supply chain attack.
references:
- https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack
- https://github.com/wiz-sec-public/wiz-research-iocs/blob/a836ce8aacf12d6d2f6afc3c44b391dc4c08f46e/reports/shai-hulud-2-packages.csv
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-28
tags:
- attack.initial-access
- attack.execution
- attack.t1195.002
- detection.emerging-threats
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '\node'
CommandLine|contains:
- 'install'
- ' i '
# List of known malicious packages and versions from the Shai-Hulud 2.0 campaign
selection_packages:
CommandLine|contains:
- '[email protected]'
- '@accordproject/[email protected]'
- '@accordproject/[email protected]'
- '@accordproject/[email protected]'
- '@accordproject/[email protected]'
- '@accordproject/[email protected]'
- '@accordproject/[email protected]'
- '@accordproject/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@actbase/[email protected]'
- '@afetcan/[email protected]'
- '@afetcan/[email protected]'
- '@alaan/[email protected]'
- '@alexadark/[email protected]'
- '@alexadark/[email protected]'
- '@alexadark/[email protected]'
- '@alexadark/[email protected]'
- '@alexcolls/[email protected]'
- '@alexcolls/[email protected]'
- '@alexcolls/[email protected]'
- '@alexcolls/[email protected]'
- '@antstackio/[email protected]'
- '@antstackio/[email protected]'
- '@antstackio/[email protected]'
- '@antstackio/[email protected]'
- '@antstackio/[email protected]'
- '@aryanhussain/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@asyncapi/[email protected]'
- '@bdkinc/[email protected]'
- '@browserbasehq/[email protected]'
- '@browserbasehq/[email protected]'
- '@browserbasehq/[email protected]'
- '@browserbasehq/[email protected]'
- '@browserbasehq/[email protected]'
- '@browserbasehq/[email protected]'
- '@browserbasehq/[email protected]'
- '@caretive/[email protected]'
- '@chtijs/[email protected]'
- '@clausehq/[email protected]'
- '@clausehq/[email protected]'
- '@clausehq/[email protected]'
- '@clausehq/[email protected]'
- '@clausehq/[email protected]'
- '@cllbk/[email protected]'
- '@commute/[email protected]'
- '@commute/[email protected]'
- '@commute/[email protected]'
- '@dev-blinq/[email protected]'
- '@dev-blinq/[email protected]'
- '@dev-blinq/[email protected]'
- '@dev-blinq/[email protected]'
- '@dev-blinq/[email protected]'
- '@elsedev/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@ensdomains/[email protected]'
- '@everreal/[email protected]'
- '@everreal/[email protected]'
- '@everreal/[email protected]'
- '@everreal/[email protected]'
- '@everreal/[email protected]'
- '@everreal/[email protected]'
- '@faq-component/[email protected]'
- '@faq-component/[email protected]'
- '@fishingbooker/[email protected]'
- '@fishingbooker/[email protected]'
- '@fishingbooker/[email protected]'
- '@fishingbooker/[email protected]'
- '@fishingbooker/[email protected]'
- '@hapheus/[email protected]'
- '@hover-design/[email protected]'
- '@hover-design/[email protected]'
- '@huntersofbook/[email protected]'
- '@huntersofbook/[email protected]'
- '@huntersofbook/[email protected]'
- '@huntersofbook/[email protected]'
- '@huntersofbook/[email protected]'
- '@huntersofbook/[email protected]'
- '@hyperlook/[email protected]'
- '@ifelsedeveloper/[email protected]'
- '@ifelsedeveloper/[email protected]'
- '@ifings/[email protected]'
- '@ifings/[email protected]'
- '@jayeshsadhwani/[email protected]'
- '@kvytech/[email protected]'
- '@kvytech/[email protected]'
- '@kvytech/[email protected]'
- '@kvytech/[email protected]'
- '@kvytech/[email protected]'
- '@kvytech/[email protected]'
- '@kvytech/[email protected]'
- '@kvytech/[email protected]'
- '@kvytech/[email protected]'
- '@lessondesk/[email protected]'
- '@lessondesk/[email protected]'
- '@lessondesk/[email protected]'
- '@lessondesk/[email protected]'
- '@lessondesk/[email protected]'
- '@lessondesk/[email protected]'
- '@lessondesk/[email protected]'
- '@lessondesk/[email protected]'
- '@lessondesk/[email protected]'
- '@livecms/[email protected]'
- '@livecms/[email protected]'
- '@lokeswari-satyanarayanan/[email protected]'
- '@louisle2/[email protected]'
- '@louisle2/[email protected]'
- '@lpdjs/[email protected]'
- '@lui-ui/[email protected]'
- '@lui-ui/[email protected]'
- '@lui-ui/[email protected]'
- '@markvivanco/[email protected]'
- '@markvivanco/[email protected]'
- '@mcp-use/[email protected]'
- '@mcp-use/[email protected]'
- '@mcp-use/[email protected]'
- '@mcp-use/[email protected]'
- '@mcp-use/[email protected]'
- '@mcp-use/[email protected]'
- '@micado-digital/[email protected]'
- '@mizzle-dev/[email protected]'
- '@mparpaillon/[email protected]'
- '@mparpaillon/[email protected]'
- '@mparpaillon/[email protected]'
- '@ntnx/[email protected]'
- '@ntnx/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@oku-ui/[email protected]'
- '@orbitgtbelgium/[email protected]'
- '@orbitgtbelgium/[email protected]'
- '@orbitgtbelgium/[email protected]'
- '@orbitgtbelgium/[email protected]'
- '@osmanekrem/[email protected]'
- '@osmanekrem/[email protected]'
- '@pergel/[email protected]'
- '@pergel/[email protected]'
- '@pergel/[email protected]'
- '@pergel/[email protected]'
- '@pergel/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@posthog/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@postman/[email protected]'
- '@pradhumngautam/[email protected]'
- '@productdevbook/[email protected]'
- '@productdevbook/[email protected]'
- '@productdevbook/[email protected]'
- '@productdevbook/[email protected]'
- '@productdevbook/[email protected]'
- '@pruthvi21/[email protected]'
- '@quick-start-soft/[email protected]'
- '@quick-start-soft/[email protected]'
- '@quick-start-soft/[email protected]'
- '@quick-start-soft/[email protected]'
- '@quick-start-soft/[email protected]'
- '@quick-start-soft/[email protected]'
- '@quick-start-soft/[email protected]'
- '@quick-start-soft/[email protected]'
- '@quick-start-soft/[email protected]'
- '@relyt/[email protected]'
- '@relyt/[email protected]'
- '@relyt/[email protected]'
- '@sameepsi/[email protected]'
- '@sameepsi/[email protected]'
- '@seezo/[email protected]'
- '@seung-ju/[email protected]'
- '@seung-ju/[email protected]'
- '@seung-ju/[email protected]'
- '@seung-ju/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@silgi/[email protected]'
- '@sme-ui/[email protected]'
- '@strapbuild/[email protected]'
- '@strapbuild/[email protected]'
- '@strapbuild/[email protected]'
- '@strapbuild/[email protected]'
- '@suraj_h/[email protected]'
- '@thedelta/[email protected]'
- '@tiaanduplessis/[email protected]'
- '@tiaanduplessis/[email protected]'
- '@tiaanduplessis/[email protected]'
- '@tiaanduplessis/[email protected]'
- '@trackstar/[email protected]'
- '@trackstar/[email protected]'
- '@trackstar/[email protected]'
- '@trackstar/[email protected]'
- '@trackstar/[email protected]'
- '@trefox/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trigo/[email protected]'
- '@trpc-rate-limiter/[email protected]'
- '@trpc-rate-limiter/[email protected]'
- '@varsityvibe/[email protected]'
- '@varsityvibe/[email protected]'
- '@varsityvibe/[email protected]'
- '@varsityvibe/[email protected]'
- '@varsityvibe/[email protected]'
- '@viapip/[email protected]'
- '@vishadtyagi/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@voiceflow/[email protected]'
- '@vucod/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '@zapier/[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
- '[email protected]'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Shai-Hulud Malicious Bun Execution
Detects the execution of `bun_environment.js` via the Bun runtime, a behavior associated with the Shai-Hulud "Second Coming" NPM supply chain attack.
The malware uses a `setup_bun.js` script to install the Bun runtime if not present, and then executes the malicious `bun_environment.js` payload.
view Sigma YAML
title: Shai-Hulud Malicious Bun Execution
id: 5299fadf-f228-4526-8274-251db1960be9
related:
- id: eb827bbd-670a-4d58-8446-c464d8ac2323
type: similar
status: experimental
description: |
Detects the execution of `bun_environment.js` via the Bun runtime, a behavior associated with the Shai-Hulud "Second Coming" NPM supply chain attack.
The malware uses a `setup_bun.js` script to install the Bun runtime if not present, and then executes the malicious `bun_environment.js` payload.
references:
- https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains
- https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack
- https://github.com/asyncapi/cli/blob/2efa4dff59bc3d3cecdf897ccf178f99b115d63d/setup_bun.js
- https://semgrep.dev/blog/2025/digging-for-secrets-sha1-hulud-the-second-coming-of-the-npm-worm/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-25
tags:
- attack.t1195.002
- attack.t1203
- attack.execution
- attack.initial-access
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\node.exe'
selection_child_bun_script:
Image|endswith: '\bun.exe'
CommandLine|contains:
- 'bun_environment.js'
- 'https://github.com/actions/runner/releases/download/v2.330.0'
condition: selection_parent and 1 of selection_child_*
falsepositives:
- Legitimate but uncommon use of files named `bun_environment.js` could trigger this rule.
level: high
regression_tests_path: regression_data/rules-emerging-threats/2025/Malware/Shai-Hulud/proc_creation_win_mal_shai_hulud_malicious_node_bun_execution/info.yml
Convert to SIEM query
high
Strong
Medium FP
Shai-Hulud Malicious Bun Execution - Linux
Detects the execution of `bun_environment.js` via the Bun runtime, a behavior associated with the Shai-Hulud "Second Coming" NPM supply chain attack.
The malware uses a `setup_bun.js` script to install the Bun runtime if not present, and then executes the malicious `bun_environment.js` payload.
view Sigma YAML
title: Shai-Hulud Malicious Bun Execution - Linux
id: eb827bbd-670a-4d58-8446-c464d8ac2323
related:
- id: 5299fadf-f228-4526-8274-251db1960be9
type: similar
status: experimental
description: |
Detects the execution of `bun_environment.js` via the Bun runtime, a behavior associated with the Shai-Hulud "Second Coming" NPM supply chain attack.
The malware uses a `setup_bun.js` script to install the Bun runtime if not present, and then executes the malicious `bun_environment.js` payload.
references:
- https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains
- https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack
- https://github.com/asyncapi/cli/blob/2efa4dff59bc3d3cecdf897ccf178f99b115d63d/setup_bun.js
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-25
tags:
- attack.t1195.002
- attack.t1203
- attack.execution
- attack.initial-access
- detection.emerging-threats
logsource:
category: process_creation
product: linux
detection:
selection_parent:
ParentImage|endswith: '/node'
selection_child_bun:
Image|endswith: '/bun'
CommandLine|contains:
- 'bun_environment.js'
- 'https://github.com/actions/runner/releases/download/v2.330.0'
selection_child_setup_curl:
CommandLine|contains|all:
- 'curl '
- '-fsSL'
- 'https://bun.sh/install'
- 'bash'
selection_child_path_reload:
CommandLine|contains|all:
- 'bash -c "source '
- '&& echo'
condition: selection_parent and 1 of selection_child_*
falsepositives:
- Legitimate but uncommon use of files named `bun_environment.js` could trigger this rule.
level: high
Convert to SIEM query
high
Moderate
High FP
Shai-Hulud Malicious GitHub Workflow Creation
Detects creation of shai-hulud-workflow.yml file associated with Shai Hulud worm targeting NPM supply chain attack that exfiltrates GitHub secrets
view Sigma YAML
title: Shai-Hulud Malicious GitHub Workflow Creation
id: 0aba5685-6db6-486f-88ef-29a99c545cfd
status: experimental
description: Detects creation of shai-hulud-workflow.yml file associated with Shai Hulud worm targeting NPM supply chain attack that exfiltrates GitHub secrets
references:
- https://www.safetycli.com/blog/shai-hulud-npm-attack-runs-malicious-github-action
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-09-24
modified: 2026-01-24
tags:
- attack.persistence
- attack.credential-access
- attack.t1552.001
- attack.collection
- attack.t1119
- detection.emerging-threats
logsource:
product: linux
category: file_event
detection:
selection:
TargetFilename|endswith:
- '.github/workflows/shai-hulud-workflow.yaml'
- '.github/workflows/shai-hulud-workflow.yml'
- '.github/workflows/shai-hulud.yaml'
- '.github/workflows/shai-hulud.yml'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Shai-Hulud Malware Indicators - Linux
Detects potential Shai-Hulud malware indicators based on specific command line arguments associated with its execution.
view Sigma YAML
title: Shai-Hulud Malware Indicators - Linux
id: 11bb9b26-4179-4a06-afcb-1ec31fce1627
related:
- id: 540703fb-a874-4385-a9d6-7cd1bfab268c
type: similar
- id: 8f2a9c3b-7e5d-4f1a-9b8e-2c4d6a8f9e1b
type: similar
status: experimental
description: |
Detects potential Shai-Hulud malware indicators based on specific command line arguments associated with its execution.
references:
- https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack
- https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains
- https://semgrep.dev/blog/2025/digging-for-secrets-sha1-hulud-the-second-coming-of-the-npm-worm/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-25
tags:
- attack.execution
- attack.t1059
- detection.emerging-threats
logsource:
category: process_creation
product: linux
detection:
selection:
CommandLine|contains:
- 'Shai-Hulud'
- 'SHA1HULUD'
condition: selection
falsepositives:
- Legitimate software containing similar strings
level: high
Convert to SIEM query
high
Moderate
High FP
Shai-Hulud Malware Indicators - Windows
Detects potential Shai-Hulud malware indicators based on specific command line arguments associated with its execution.
view Sigma YAML
title: Shai-Hulud Malware Indicators - Windows
id: 540703fb-a874-4385-a9d6-7cd1bfab268c
related:
- id: 11bb9b26-4179-4a06-afcb-1ec31fce1627
type: similar
- id: 8f2a9c3b-7e5d-4f1a-9b8e-2c4d6a8f9e1b
type: similar
status: experimental
description: |
Detects potential Shai-Hulud malware indicators based on specific command line arguments associated with its execution.
references:
- https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack
- https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains
- https://semgrep.dev/blog/2025/digging-for-secrets-sha1-hulud-the-second-coming-of-the-npm-worm/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-25
tags:
- attack.execution
- attack.t1059
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'Shai-Hulud'
- 'SHA1HULUD'
condition: selection
falsepositives:
- Legitimate software containing similar strings
level: high
regression_tests_path: regression_data/rules-emerging-threats/2025/Malware/Shai-Hulud/proc_creation_win_mal_shai_hulud_indicator/info.yml
Convert to SIEM query
Showing 1401-1450 of 3,750