Tool
SIEM
Sigma (generic) detection rules
3,750 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Expand any rule to see its raw YAML and convert it inline to native query syntax. Pick a platform above to browse every rule already rendered in that language.
Get the raw rules from SigmaHQ Detection Rules
The raw generic YAML, served by SigmaHQ. Pick a platform above to download a ready-to-deploy converted pack.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence43
Privilege Escalation20
Stealth83
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 3,750
high
Strong
Medium FP
Suspicious SYSTEM User Process Creation
Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
view Sigma YAML
title: Suspicious SYSTEM User Process Creation
id: 2617e7ed-adb7-40ba-b0f3-8f9945fe6c09
status: test
description: Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
references:
- Internal Research
- https://tools.thehacker.recipes/mimikatz/modules
author: Florian Roth (Nextron Systems), David ANDRE (additional keywords)
date: 2021-12-20
modified: 2025-10-19
tags:
- attack.credential-access
- attack.privilege-escalation
- attack.stealth
- attack.t1134
- attack.t1003
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection:
IntegrityLevel:
- 'System'
- 'S-1-16-16384'
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
selection_special:
- Image|endswith:
- '\calc.exe'
- '\cscript.exe'
- '\forfiles.exe'
- '\hh.exe'
- '\mshta.exe'
- '\ping.exe'
- '\wscript.exe'
- CommandLine|re: 'net\s+user\s+'
- CommandLine|contains:
# - 'sc stop ' # stops a system service # causes FPs
- ' -NoP ' # Often used in malicious PowerShell commands
- ' -W Hidden ' # Often used in malicious PowerShell commands
- ' -decode ' # Used with certutil
- ' /decode ' # Used with certutil
- ' /urlcache ' # Used with certutil
- ' -urlcache ' # Used with certutil
- ' -e* JAB' # PowerShell encoded commands
- ' -e* SUVYI' # PowerShell encoded commands
- ' -e* SQBFAFgA' # PowerShell encoded commands
- ' -e* aWV4I' # PowerShell encoded commands
- ' -e* IAB' # PowerShell encoded commands
- ' -e* PAA' # PowerShell encoded commands
- ' -e* aQBlAHgA' # PowerShell encoded commands
- 'vssadmin delete shadows' # Ransomware
- 'reg SAVE HKLM' # save registry SAM - syskey extraction
- ' -ma ' # ProcDump
- 'Microsoft\Windows\CurrentVersion\Run' # Run key in command line - often in combination with REG ADD
- '.downloadstring(' # PowerShell download command
- '.downloadfile(' # PowerShell download command
- ' /ticket:' # Rubeus
- 'dpapi::' # Mimikatz
- 'event::clear' # Mimikatz
- 'event::drop' # Mimikatz
- 'id::modify' # Mimikatz
- 'kerberos::' # Mimikatz
- 'lsadump::' # Mimikatz
- 'misc::' # Mimikatz
- 'privilege::' # Mimikatz
- 'rpc::' # Mimikatz
- 'sekurlsa::' # Mimikatz
- 'sid::' # Mimikatz
- 'token::' # Mimikatz
- 'vault::cred' # Mimikatz
- 'vault::list' # Mimikatz
- ' p::d ' # Mimikatz
- ';iex(' # PowerShell IEX
- 'MiniDump' # Process dumping method apart from procdump
filter_main_ping:
CommandLine|contains|all:
- 'ping'
- '127.0.0.1'
- ' -n '
filter_vs:
Image|endswith: '\PING.EXE'
ParentCommandLine|contains: '\DismFoDInstall.cmd'
filter_config_mgr:
ParentImage|contains: ':\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
filter_java:
ParentImage|contains:
- ':\Program Files (x86)\Java\'
- ':\Program Files\Java\'
ParentImage|endswith: '\bin\javaws.exe'
Image|contains:
- ':\Program Files (x86)\Java\'
- ':\Program Files\Java\'
Image|endswith: '\bin\jp2launcher.exe'
CommandLine|contains: ' -ma '
condition: all of selection* and not 1 of filter_*
falsepositives:
- Administrative activity
- Scripts and administrative tools used in the monitored environment
- Monitoring activity
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Scheduled Task Creation
Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.
view Sigma YAML
title: Suspicious Scheduled Task Creation
id: 3a734d25-df5c-4b99-8034-af1ddb5883a4
status: test
description: Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-05
modified: 2022-12-07
tags:
- attack.execution
- attack.privilege-escalation
- attack.persistence
- attack.t1053.005
logsource:
product: windows
service: security
definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.'
detection:
selection_eid:
EventID: 4698
selection_paths:
TaskContent|contains:
- '\AppData\Local\Temp\'
- '\AppData\Roaming\'
- '\Users\Public\'
- '\WINDOWS\Temp\'
- 'C:\Temp\'
- '\Desktop\'
- '\Downloads\'
- '\Temporary Internet'
- 'C:\ProgramData\'
- 'C:\Perflogs\'
selection_commands:
TaskContent|contains:
- 'regsvr32'
- 'rundll32'
- 'cmd.exe</Command>'
- 'cmd</Command>'
- '<Arguments>/c '
- '<Arguments>/k '
- '<Arguments>/r '
- 'powershell'
- 'pwsh'
- 'mshta'
- 'wscript'
- 'cscript'
- 'certutil'
- 'bitsadmin'
- 'bash.exe'
- 'bash '
- 'scrcons'
- 'wmic '
- 'wmic.exe'
- 'forfiles'
- 'scriptrunner'
- 'hh.exe'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
High FP
Suspicious Scheduled Task Creation Involving Temp Folder
Detects the creation of scheduled tasks that involves a temporary folder and runs only once
view Sigma YAML
title: Suspicious Scheduled Task Creation Involving Temp Folder
id: 39019a4e-317f-4ce3-ae63-309a8c6b53c5
status: test
description: Detects the creation of scheduled tasks that involves a temporary folder and runs only once
references:
- https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3
author: Florian Roth (Nextron Systems)
date: 2021-03-11
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\schtasks.exe'
CommandLine|contains|all:
- ' /create '
- ' /sc once '
- '\Temp\'
condition: selection
falsepositives:
- Administrative activity
- Software installation
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Scheduled Task Update
Detects update to a scheduled task event that contain suspicious keywords.
view Sigma YAML
title: Suspicious Scheduled Task Update
id: 614cf376-6651-47c4-9dcc-6b9527f749f4
related:
- id: 1c0e41cd-21bb-4433-9acc-4a2cd6367b9b # ProcCreation schtasks change
type: similar
status: test
description: Detects update to a scheduled task event that contain suspicious keywords.
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4698
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-05
tags:
- attack.execution
- attack.privilege-escalation
- attack.persistence
- attack.t1053.005
logsource:
product: windows
service: security
definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.'
detection:
selection_eid:
EventID: 4702
selection_paths:
TaskContentNew|contains:
- '\AppData\Local\Temp\'
- '\AppData\Roaming\'
- '\Users\Public\'
- '\WINDOWS\Temp\'
- 'C:\Temp\'
- '\Desktop\'
- '\Downloads\'
- '\Temporary Internet'
- 'C:\ProgramData\'
- 'C:\Perflogs\'
selection_commands:
TaskContentNew|contains:
- 'regsvr32'
- 'rundll32'
- 'cmd.exe</Command>'
- 'cmd</Command>'
- '<Arguments>/c '
- '<Arguments>/k '
- '<Arguments>/r '
- 'powershell'
- 'pwsh'
- 'mshta'
- 'wscript'
- 'cscript'
- 'certutil'
- 'bitsadmin'
- 'bash.exe'
- 'bash '
- 'scrcons'
- 'wmic '
- 'wmic.exe'
- 'forfiles'
- 'scriptrunner'
- 'hh.exe'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Scheduled Task Write to System32 Tasks
Detects the creation of tasks from processes executed from suspicious locations
view Sigma YAML
title: Suspicious Scheduled Task Write to System32 Tasks
id: 80e1f67a-4596-4351-98f5-a9c3efabac95
status: test
description: Detects the creation of tasks from processes executed from suspicious locations
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2021-11-16
modified: 2022-01-12
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1053
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains: '\Windows\System32\Tasks'
Image|contains:
- '\AppData\'
- 'C:\PerfLogs'
- '\Windows\System32\config\systemprofile'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Schtasks Execution AppData Folder
Detects the creation of a schtask that executes a file from C:\Users\<USER>\AppData\Local
view Sigma YAML
title: Suspicious Schtasks Execution AppData Folder
id: c5c00f49-b3f9-45a6-997e-cfdecc6e1967
status: test
description: 'Detects the creation of a schtask that executes a file from C:\Users\<USER>\AppData\Local'
references:
- https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-03-15
modified: 2022-07-28
tags:
- attack.privilege-escalation
- attack.execution
- attack.persistence
- attack.t1053.005
- attack.t1059.001
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\schtasks.exe'
CommandLine|contains|all:
- '/Create'
- '/RU'
- '/TR'
- 'C:\Users\'
- '\AppData\Local\'
CommandLine|contains:
- 'NT AUT' # This covers the usual NT AUTHORITY\SYSTEM
- ' SYSTEM ' # SYSTEM is a valid value for schtasks hence it gets it's own value with space
filter:
# FP from test set in SIGMA
ParentImage|contains|all:
- '\AppData\Local\Temp\'
- 'TeamViewer_.exe'
Image|endswith: '\schtasks.exe'
CommandLine|contains: '/TN TVInstallRestore'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Schtasks Schedule Types
Detects scheduled task creations or modification on a suspicious schedule type
view Sigma YAML
title: Suspicious Schtasks Schedule Types
id: 24c8392b-aa3c-46b7-a545-43f71657fe98
related:
- id: 7a02e22e-b885-4404-b38b-1ddc7e65258a
type: similar
status: test
description: Detects scheduled task creations or modification on a suspicious schedule type
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create
- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-09
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.t1053.005
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_time:
CommandLine|contains:
- ' ONLOGON '
- ' ONSTART '
- ' ONCE '
- ' ONIDLE '
filter_privs:
CommandLine|contains:
- 'NT AUT' # This covers the usual NT AUTHORITY\SYSTEM
- ' SYSTEM' # SYSTEM is a valid value for schtasks hence it gets it's own value with space
- 'HIGHEST'
condition: all of selection_* and not 1 of filter_*
falsepositives:
- Legitimate processes that run at logon. Filter according to your environment
level: high
Convert to SIEM query
high
Strong
High FP
Suspicious Scripting in a WMI Consumer
Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers
view Sigma YAML
title: Suspicious Scripting in a WMI Consumer
id: fe21810c-2a8c-478f-8dd3-5a287fb2a0e0
status: test
description: Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers
references:
- https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/
- https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19
- https://github.com/RiccardoAncarani/LiquidSnake
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro
date: 2019-04-15
modified: 2023-09-09
tags:
- attack.execution
- attack.t1059.005
logsource:
product: windows
category: wmi_event
detection:
selection_destination:
- Destination|contains|all:
- 'new-object'
- 'net.webclient'
- '.downloadstring'
- Destination|contains|all:
- 'new-object'
- 'net.webclient'
- '.downloadfile'
- Destination|contains:
- ' iex('
- ' -nop '
- ' -noprofile '
- ' -decode '
- ' -enc '
- 'WScript.Shell'
- 'System.Security.Cryptography.FromBase64Transform'
condition: selection_destination
falsepositives:
- Legitimate administrative scripts
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Serv-U Process Pattern
Detects a suspicious process pattern which could be a sign of an exploited Serv-U service
view Sigma YAML
title: Suspicious Serv-U Process Pattern
id: 58f4ea09-0fc2-4520-ba18-b85c540b0eaf
status: test
description: Detects a suspicious process pattern which could be a sign of an exploited Serv-U service
references:
- https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/
author: Florian Roth (Nextron Systems)
date: 2021-07-14
modified: 2022-07-14
tags:
- attack.credential-access
- attack.t1555
- cve.2021-35211
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\Serv-U.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\sh.exe'
- '\bash.exe'
- '\schtasks.exe'
- '\regsvr32.exe'
- '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
- '\mshta.exe'
- '\rundll32.exe'
- '\msiexec.exe'
- '\forfiles.exe'
- '\scriptrunner.exe'
condition: selection
falsepositives:
- Legitimate uses in which users or programs use the SSH service of Serv-U for remote command execution
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Service Binary Directory
Detects a service binary running in a suspicious directory
view Sigma YAML
title: Suspicious Service Binary Directory
id: 883faa95-175a-4e22-8181-e5761aeb373c
status: test
description: Detects a service binary running in a suspicious directory
references:
- https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/
author: Florian Roth (Nextron Systems)
date: 2021-03-09
modified: 2022-10-09
tags:
- attack.stealth
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains:
- '\Users\Public\'
- '\$Recycle.bin'
- '\Users\All Users\'
- '\Users\Default\'
- '\Users\Contacts\'
- '\Users\Searches\'
- 'C:\Perflogs\'
- '\config\systemprofile\'
- '\Windows\Fonts\'
- '\Windows\IME\'
- '\Windows\addins\'
ParentImage|endswith:
- '\services.exe'
- '\svchost.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Service DACL Modification Via Set-Service Cmdlet
Detects suspicious DACL modifications via the "Set-Service" cmdlet using the "SecurityDescriptorSddl" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable
view Sigma YAML
title: Suspicious Service DACL Modification Via Set-Service Cmdlet
id: a95b9b42-1308-4735-a1af-abb1c5e6f5ac
related:
- id: 99cf1e02-00fb-4c0d-8375-563f978dfd37
type: derived
status: test
description: Detects suspicious DACL modifications via the "Set-Service" cmdlet using the "SecurityDescriptorSddl" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable
references:
- https://www.sans.org/blog/red-team-tactics-hiding-windows-services/
- https://learn.microsoft.com/pt-br/windows/win32/secauthz/sid-strings
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-18
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1543.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\pwsh.exe'
- OriginalFileName: 'pwsh.dll'
selection_sddl_flag:
CommandLine|contains:
- '-SecurityDescriptorSddl '
- '-sd '
selection_set_service:
CommandLine|contains|all:
- 'Set-Service '
- 'D;;'
CommandLine|contains:
- ';;;IU'
- ';;;SU'
- ';;;BA'
- ';;;SY'
- ';;;WD'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Service DACL Modification Via Set-Service Cmdlet - PS
Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
view Sigma YAML
title: Suspicious Service DACL Modification Via Set-Service Cmdlet - PS
id: 22d80745-6f2c-46da-826b-77adaededd74
related:
- id: a95b9b42-1308-4735-a1af-abb1c5e6f5ac
type: similar
status: test
description: Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
references:
- https://twitter.com/Alh4zr3d/status/1580925761996828672
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-24
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.011
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_sddl_flag:
ScriptBlockText|contains:
- '-SecurityDescriptorSddl '
- '-sd '
selection_set_service:
ScriptBlockText|contains|all:
- 'Set-Service '
- 'D;;'
ScriptBlockText|contains:
- ';;;IU'
- ';;;SU'
- ';;;BA'
- ';;;SY'
- ';;;WD'
condition: all of selection_*
falsepositives:
- Rare intended use of hidden services
- Rare FP could occur due to the non linearity of the ScriptBlockText log
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Service Installation
Detects suspicious service installation commands
view Sigma YAML
title: Suspicious Service Installation
id: 1d61f71d-59d2-479e-9562-4ff5f4ead16b
related:
- id: ca83e9f3-657a-45d0-88d6-c1ac280caf53
type: obsolete
- id: 26481afe-db26-4228-b264-25a29fe6efc7
type: similar
status: test
description: Detects suspicious service installation commands
references:
- Internal Research
author: pH-T (Nextron Systems), Florian Roth (Nextron Systems)
date: 2022-03-18
modified: 2023-12-04
tags:
- attack.persistence
- attack.privilege-escalation
- car.2013-09-005
- attack.t1543.003
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
ImagePath|contains:
- ' -nop '
- ' -sta '
- ' -w hidden '
- ':\Temp\'
- '.downloadfile(' # PowerShell download command
- '.downloadstring(' # PowerShell download command
- '\ADMIN$\'
- '\Perflogs\'
- '&&'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Service Installation Script
Detects suspicious service installation scripts
view Sigma YAML
title: Suspicious Service Installation Script
id: 70f00d10-60b2-4f34-b9a0-dc3df3fe762a
status: test
description: Detects suspicious service installation scripts
references:
- Internal Research
author: pH-T (Nextron Systems)
date: 2022-03-18
modified: 2024-03-05
tags:
- attack.persistence
- attack.privilege-escalation
- car.2013-09-005
- attack.t1543.003
logsource:
product: windows
service: system
detection:
selection_eid:
Provider_Name: 'Service Control Manager'
EventID: 7045
selection_cmd_flags:
ImagePath|contains|windash:
- ' -c '
- ' -r '
- ' -k '
selection_binaries:
ImagePath|contains:
- 'cscript'
- 'mshta'
- 'powershell'
- 'pwsh'
- 'regsvr32'
- 'rundll32'
- 'wscript'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Service Path Modification
Detects service path modification via the "sc" binary to a suspicious command or path
view Sigma YAML
title: Suspicious Service Path Modification
id: 138d3531-8793-4f50-a2cd-f291b2863d78
status: test
description: Detects service path modification via the "sc" binary to a suspicious command or path
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md
- https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html
author: Victor Sergeev, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-10-21
modified: 2022-11-18
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1543.003
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\sc.exe'
CommandLine|contains|all:
- 'config'
- 'binPath'
CommandLine|contains:
# Add more suspicious commands or binaries
- 'powershell'
- 'cmd '
- 'mshta'
- 'wscript'
- 'cscript'
- 'rundll32'
- 'svchost'
- 'dllhost'
- 'cmd.exe /c'
- 'cmd.exe /k'
- 'cmd.exe /r'
- 'cmd /c'
- 'cmd /k'
- 'cmd /r'
# Add more suspicious paths
- 'C:\Users\Public'
- '\Downloads\'
- '\Desktop\'
- '\Microsoft\Windows\Start Menu\Programs\Startup\'
- 'C:\Windows\TEMP\'
- '\AppData\Local\Temp'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious ShellExec_RunDLL Call Via Ordinal
Detects suspicious call to the "ShellExec_RunDLL" exported function of SHELL32.DLL through the ordinal number to launch other commands.
Adversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine.
view Sigma YAML
title: Suspicious ShellExec_RunDLL Call Via Ordinal
id: 8823e85d-31d8-473e-b7f4-92da070f0fc6
related:
- id: d87bd452-6da1-456e-8155-7dc988157b7d
type: derived
status: test
description: |
Detects suspicious call to the "ShellExec_RunDLL" exported function of SHELL32.DLL through the ordinal number to launch other commands.
Adversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine.
references:
- https://redcanary.com/blog/raspberry-robin/
- https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/
- https://github.com/SigmaHQ/sigma/issues/1009
- https://strontic.github.io/xcyclopedia/library/shell32.dll-65DA072F25DE83D9F83653E3FEA3644D.html
author: Swachchhanda Shrawan Poudel
date: 2024-12-01
tags:
- attack.stealth
- attack.t1218.011
logsource:
category: process_creation
product: windows
detection:
selection_parent_img:
ParentCommandLine|contains: 'SHELL32.DLL'
selection_parent_ordinal:
ParentCommandLine|contains:
# Note: The ordinal number may differ depending on the DLL version
# Example: rundll32 SHELL32.DLL,#572 "cmd.exe" "/c calc.exe"
- '#568'
- '#570'
- '#572'
- '#576'
selection_susp_cli_parent:
# Note: Add additional binaries and suspicious paths to increase coverage
- ParentCommandLine|contains:
- 'comspec'
- 'iex'
- 'Invoke-'
- 'msiexec'
- 'odbcconf'
- 'regsvr32'
- ParentCommandLine|contains:
- '\Desktop\'
- '\ProgramData\'
- '\Temp\'
- '\Users\Public\'
selection_susp_child_img:
Image|endswith:
- '\bash.exe'
- '\bitsadmin.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\curl.exe'
- '\mshta.exe'
- '\msiexec.exe'
- '\msxsl.exe'
- '\odbcconf.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\schtasks.exe'
- '\wmic.exe'
- '\wscript.exe'
condition: all of selection_parent_* and 1 of selection_susp_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Shells Spawn by Java Utility Keytool
Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)
view Sigma YAML
title: Suspicious Shells Spawn by Java Utility Keytool
id: 90fb5e62-ca1f-4e22-b42e-cc521874c938
status: test
description: Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)
references:
- https://redcanary.com/blog/intelligence-insights-december-2021
- https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html
author: Andreas Hunkeler (@Karneades)
date: 2021-12-22
modified: 2023-01-21
tags:
- attack.initial-access
- attack.persistence
- attack.privilege-escalation
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\keytool.exe'
Image|endswith:
- '\cmd.exe'
- '\sh.exe'
- '\bash.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\schtasks.exe'
- '\certutil.exe'
- '\whoami.exe'
- '\bitsadmin.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\scrcons.exe'
- '\regsvr32.exe'
- '\hh.exe'
- '\wmic.exe'
- '\mshta.exe'
- '\rundll32.exe'
- '\forfiles.exe'
- '\scriptrunner.exe'
- '\mftrace.exe'
- '\AppVLP.exe'
- '\systeminfo.exe'
- '\reg.exe'
- '\query.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Shim Database Patching Activity
Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence.
view Sigma YAML
title: Suspicious Shim Database Patching Activity
id: bf344fea-d947-4ef4-9192-34d008315d3a
status: test
description: Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence.
references:
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/
- https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-01
modified: 2023-12-06
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.011
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\'
TargetObject|endswith:
# Note: add other application to increase coverage
- '\csrss.exe'
- '\dllhost.exe'
- '\explorer.exe'
- '\RuntimeBroker.exe'
- '\services.exe'
- '\sihost.exe'
- '\svchost.exe'
- '\taskhostw.exe'
- '\winlogon.exe'
- '\WmiPrvSe.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Low FP
Suspicious SignIns From A Non Registered Device
Detects risky authentication from a non AD registered device without MFA being required.
view Sigma YAML
title: Suspicious SignIns From A Non Registered Device
id: 572b12d4-9062-11ed-a1eb-0242ac120002
status: test
description: Detects risky authentication from a non AD registered device without MFA being required.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-devices#non-compliant-device-sign-in
author: Harjot Singh, '@cyb3rjy0t'
date: 2023-01-10
modified: 2025-07-02
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.stealth
- attack.t1078
logsource:
product: azure
service: signinlogs
detection:
selection_main:
Status: 'Success'
AuthenticationRequirement: 'singleFactorAuthentication'
RiskState: 'atRisk'
selection_empty1:
DeviceDetail.trusttype: ''
selection_empty2:
DeviceDetail.trusttype: null
condition: selection_main and 1 of selection_empty*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Space Characters in RunMRU Registry Path - ClickFix
Detects the occurrence of numerous space characters in RunMRU registry paths, which may indicate execution via phishing lures using clickfix techniques to hide malicious commands in the Windows Run dialog box from naked eyes.
view Sigma YAML
title: Suspicious Space Characters in RunMRU Registry Path - ClickFix
id: 7a1b4c5e-8f3d-4b9a-7c2e-1f4a5b8c6d9e
related:
- id: 3ae9974a-eb09-4044-8e70-8980a50c12c8
type: similar
status: experimental
description: |
Detects the occurrence of numerous space characters in RunMRU registry paths, which may indicate execution via phishing lures using clickfix techniques to hide malicious commands in the Windows Run dialog box from naked eyes.
references:
- https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/
- https://github.com/JohnHammond/recaptcha-phish
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-04
tags:
- attack.execution
- attack.stealth
- attack.t1204.004
- attack.t1027.010
logsource:
category: registry_set
product: windows
detection:
selection_key:
TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\'
Details|contains: '#'
selection_space_variation:
Details|contains:
- ' ' # En Quad (U+2000)
- ' ' # Em Quad (U+2001)
- ' ' # En Space (U+2002)
- ' ' # Em Space (U+2003)
- ' ' # Three-Per-Em Space (U+2004)
- ' ' # Four-Per-Em Space (U+2005)
- ' ' # Six-Per-Em Space (U+2006)
- ' ' # Figure Space (U+2007)
- ' ' # Punctuation Space (U+2008)
- ' ' # Thin Space (U+2009)
- ' ' # Hair Space (U+200A)
- ' ' # No-Break Space (U+00A0)
- ' ' # Normal space
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Space Characters in TypedPaths Registry Path - FileFix
Detects the occurrence of numerous space characters in TypedPaths registry paths, which may indicate execution via phishing lures using file-fix techniques to hide malicious commands.
view Sigma YAML
title: Suspicious Space Characters in TypedPaths Registry Path - FileFix
id: 8f2a5c3d-9e4b-4a7c-8d1f-2e5a6b9c3d7e
related:
- id: 3ae9974a-eb09-4044-8e70-8980a50c12c8
type: similar
status: experimental
description: |
Detects the occurrence of numerous space characters in TypedPaths registry paths, which may indicate execution via phishing lures using file-fix techniques to hide malicious commands.
references:
- https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/
- https://mrd0x.com/filefix-clickfix-alternative/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-04
tags:
- attack.execution
- attack.stealth
- attack.t1204.004
- attack.t1027.010
logsource:
category: registry_set
product: windows
detection:
selection_key:
TargetObject|endswith: '\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths\url1'
Details|contains: '#'
selection_space_variation:
Details|contains:
- ' ' # En Quad (U+2000)
- ' ' # Em Quad (U+2001)
- ' ' # En Space (U+2002)
- ' ' # Em Space (U+2003)
- ' ' # Three-Per-Em Space (U+2004)
- ' ' # Four-Per-Em Space (U+2005)
- ' ' # Six-Per-Em Space (U+2006)
- ' ' # Figure Space (U+2007)
- ' ' # Punctuation Space (U+2008)
- ' ' # Thin Space (U+2009)
- ' ' # Hair Space (U+200A)
- ' ' # No-Break Space (U+00A0)
- ' ' # Normal space
condition: all of selection_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Speech Runtime Binary Child Process
Detects suspicious Speech Runtime Binary Execution by monitoring its child processes.
Child processes spawned by SpeechRuntime.exe could indicate an attempt for lateral movement via COM & DCOM hijacking.
view Sigma YAML
title: Suspicious Speech Runtime Binary Child Process
id: 78f10490-f2f4-4d19-a75b-4e0683bf3b8d
status: experimental
description: |
Detects suspicious Speech Runtime Binary Execution by monitoring its child processes.
Child processes spawned by SpeechRuntime.exe could indicate an attempt for lateral movement via COM & DCOM hijacking.
references:
- https://github.com/rtecCyberSec/SpeechRuntimeMove
author: andrewdanis
date: 2025-10-23
logsource:
category: process_creation
product: windows
tags:
- attack.lateral-movement
- attack.stealth
- attack.t1021.003
- attack.t1218
detection:
selection:
ParentImage|endswith: '\SpeechRuntime.exe'
condition: selection
falsepositives:
- Unlikely.
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Splwow64 Without Params
Detects suspicious Splwow64.exe process without any command line parameters
view Sigma YAML
title: Suspicious Splwow64 Without Params
id: 1f1a8509-2cbb-44f5-8751-8e1571518ce2
status: test
description: Detects suspicious Splwow64.exe process without any command line parameters
references:
- https://twitter.com/sbousseaden/status/1429401053229891590?s=12
author: Florian Roth (Nextron Systems)
date: 2021-08-23
modified: 2022-12-25
tags:
- attack.stealth
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\splwow64.exe'
CommandLine|endswith: 'splwow64.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Spool Service Child Process
Detects suspicious print spool service (spoolsv.exe) child processes.
view Sigma YAML
title: Suspicious Spool Service Child Process
id: dcdbc940-0bff-46b2-95f3-2d73f848e33b
status: test
description: Detects suspicious print spool service (spoolsv.exe) child processes.
references:
- https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Exploits/Print%20Spooler%20RCE/Suspicious%20Spoolsv%20Child%20Process.md
author: Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule)
date: 2021-07-11
modified: 2024-12-01
tags:
- attack.execution
- attack.t1203
- attack.privilege-escalation
- attack.t1068
logsource:
category: process_creation
product: windows
detection:
spoolsv:
ParentImage|endswith: '\spoolsv.exe'
IntegrityLevel:
- 'System'
- 'S-1-16-16384'
suspicious_unrestricted:
Image|endswith:
- '\gpupdate.exe'
- '\whoami.exe'
- '\nltest.exe'
- '\taskkill.exe'
- '\wmic.exe'
- '\taskmgr.exe'
- '\sc.exe'
- '\findstr.exe'
- '\curl.exe'
- '\wget.exe'
- '\certutil.exe'
- '\bitsadmin.exe'
- '\accesschk.exe'
- '\wevtutil.exe'
- '\bcdedit.exe'
- '\fsutil.exe'
- '\cipher.exe'
- '\schtasks.exe'
- '\write.exe'
- '\wuauclt.exe'
- '\systeminfo.exe'
- '\reg.exe'
- '\query.exe'
suspicious_net:
Image|endswith:
- '\net.exe'
- '\net1.exe'
suspicious_net_filter:
CommandLine|contains: 'start'
suspicious_cmd:
Image|endswith: '\cmd.exe'
suspicious_cmd_filter:
CommandLine|contains:
- '.spl'
- 'route add'
- 'program files'
suspicious_netsh:
Image|endswith: '\netsh.exe'
suspicious_netsh_filter:
CommandLine|contains:
- 'add portopening'
- 'rule name'
suspicious_powershell:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
suspicious_powershell_filter:
CommandLine|contains: '.spl'
suspicious_rundll32_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
suspicious_rundll32_cli:
CommandLine|endswith: 'rundll32.exe'
condition: spoolsv and ( suspicious_unrestricted or (suspicious_net and not suspicious_net_filter) or (suspicious_cmd and not suspicious_cmd_filter) or (suspicious_netsh and not suspicious_netsh_filter) or (suspicious_powershell and not suspicious_powershell_filter) or all of suspicious_rundll32_* )
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Startup Folder Persistence
Detects the creation of potentially malicious script and executable files in Windows startup folders, which is a common persistence technique used by threat actors.
These files (.ps1, .vbs, .js, .bat, etc.) are automatically executed when a user logs in, making the Startup folder an attractive target for attackers.
This technique is frequently observed in malvertising campaigns and malware distribution where attackers attempt to maintain long-term access to compromised systems.
view Sigma YAML
title: Suspicious Startup Folder Persistence
id: 28208707-fe31-437f-9a7f-4b1108b94d2e
related:
- id: 2aa0a6b4-a865-495b-ab51-c28249537b75
type: similar
status: test
description: |
Detects the creation of potentially malicious script and executable files in Windows startup folders, which is a common persistence technique used by threat actors.
These files (.ps1, .vbs, .js, .bat, etc.) are automatically executed when a user logs in, making the Startup folder an attractive target for attackers.
This technique is frequently observed in malvertising campaigns and malware distribution where attackers attempt to maintain long-term access to compromised systems.
references:
- https://github.com/last-byte/PersistenceSniper
- https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/
- https://github.com/redcanaryco/atomic-red-team/blob/5ede8f21e42ebe37e0a6eff757dba60bcfa85859/atomics/T1547.001/T1547.001.md
author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2022-08-10
modified: 2025-10-12
tags:
- attack.privilege-escalation
- attack.execution
- attack.t1204.002
- attack.persistence
- attack.t1547.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains: '\Windows\Start Menu\Programs\Startup\'
TargetFilename|endswith:
# Add or remove suspicious extensions according to your env needs
- '.bat'
- '.cmd'
- '.dll'
- '.hta'
- '.jar'
- '.js'
- '.jse'
- '.msi'
- '.ps1'
- '.psd1'
- '.psm1'
- '.scr'
- '.url'
- '.vba'
- '.vbe'
- '.vbs'
- '.wsf'
condition: selection
falsepositives:
- Rare legitimate usage of some of the extensions mentioned in the rule
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Svchost Process Access
Detects suspicious access to the "svchost" process such as that used by Invoke-Phantom to kill the thread of the Windows event logging service.
view Sigma YAML
title: Suspicious Svchost Process Access
id: 166e9c50-8cd9-44af-815d-d1f0c0e90dde
status: test
description: Detects suspicious access to the "svchost" process such as that used by Invoke-Phantom to kill the thread of the Windows event logging service.
references:
- https://github.com/hlldz/Invoke-Phant0m
- https://twitter.com/timbmsft/status/900724491076214784
author: Tim Burrell
date: 2020-01-02
modified: 2023-01-30
tags:
- attack.defense-impairment
- attack.t1685.001
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith: ':\Windows\System32\svchost.exe'
GrantedAccess: '0x1F3FFF'
CallTrace|contains: 'UNKNOWN'
filter_main_msbuild:
SourceImage|contains: ':\Program Files\Microsoft Visual Studio\'
SourceImage|endswith: '\MSBuild\Current\Bin\MSBuild.exe'
# Just to make sure it's "really" .NET :)
CallTrace|contains:
- 'Microsoft.Build.ni.dll'
- 'System.ni.dll'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Sysmon as Execution Parent
Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)
view Sigma YAML
title: Suspicious Sysmon as Execution Parent
id: 6d1058a4-407e-4f3a-a144-1968c11dc5c3
status: test
description: Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)
references:
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120
- https://twitter.com/filip_dragovic/status/1590052248260055041
- https://twitter.com/filip_dragovic/status/1590104354727436290
author: Florian Roth (Nextron Systems), Tim Shelton (fp werfault)
date: 2022-11-10
modified: 2025-07-04
tags:
- attack.privilege-escalation
- attack.t1068
- cve.2022-41120
- detection.emerging-threats
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith:
- '\Sysmon.exe'
- '\Sysmon64.exe'
filter_main_temp_sysmon:
# C:\Users\ADMINI~1\AppData\Local\Temp\2\Sysmon.exe
Image|startswith: 'C:\Users\'
Image|contains: '\AppData\Local\Temp\'
Image|endswith:
- '\Sysmon.exe'
- '\Sysmon64.exe'
filter_main_generic:
Image|contains:
- ':\Windows\Sysmon.exe'
- ':\Windows\Sysmon64.exe'
- ':\Windows\System32\conhost.exe'
- ':\Windows\System32\WerFault.exe' # When Sysmon crashes
- ':\Windows\System32\WerFaultSecure.exe' # When Sysmon crashes
- ':\Windows\System32\wevtutil.exe'
- ':\Windows\SysWOW64\wevtutil.exe'
filter_main_null:
Image: null
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious TSCON Start as SYSTEM
Detects a tscon.exe start as LOCAL SYSTEM
view Sigma YAML
title: Suspicious TSCON Start as SYSTEM
id: 9847f263-4a81-424f-970c-875dab15b79b
status: test
description: Detects a tscon.exe start as LOCAL SYSTEM
references:
- http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
- https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
- https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement
author: Florian Roth (Nextron Systems)
date: 2018-03-17
modified: 2022-05-27
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
category: process_creation
product: windows
detection:
selection:
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
Image|endswith: '\tscon.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Low FP
Suspicious Teams Application Related ObjectAcess Event
Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.
view Sigma YAML
title: Suspicious Teams Application Related ObjectAcess Event
id: 25cde13e-8e20-4c29-b949-4e795b76f16f
status: test
description: Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.
references:
- https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/
- https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens
author: '@SerkinValery'
date: 2022-09-16
tags:
- attack.credential-access
- attack.t1528
logsource:
product: windows
service: security
detection:
selection:
EventID: 4663
ObjectName|contains:
- '\Microsoft\Teams\Cookies'
- '\Microsoft\Teams\Local Storage\leveldb'
filter:
ProcessName|contains: '\Microsoft\Teams\current\Teams.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious UltraVNC Execution
Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)
view Sigma YAML
title: Suspicious UltraVNC Execution
id: 871b9555-69ca-4993-99d3-35a59f9f3599
status: test
description: Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)
references:
- https://web.archive.org/web/20220224045756/https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine
- https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution
- https://uvnc.com/docs/uvnc-viewer/52-ultravnc-viewer-commandline-parameters.html
author: Bhabesh Raj
date: 2022-03-04
modified: 2022-03-09
tags:
- attack.lateral-movement
- attack.g0047
- attack.t1021.005
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '-autoreconnect '
- '-connect '
- '-id:'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Uninstall of Windows Defender Feature via PowerShell
Detects the use of PowerShell with Uninstall-WindowsFeature or Remove-WindowsFeature cmdlets to disable or remove the Windows Defender GUI feature, a common technique used by adversaries to evade defenses.
view Sigma YAML
title: Suspicious Uninstall of Windows Defender Feature via PowerShell
id: c443012c-7928-43bf-ac20-7eda5efe61ad
status: experimental
description: |
Detects the use of PowerShell with Uninstall-WindowsFeature or Remove-WindowsFeature cmdlets to disable or remove the Windows Defender GUI feature, a common technique used by adversaries to evade defenses.
references:
- https://learn.microsoft.com/en-us/powershell/module/microsoft.windows.servermanager.migration/uninstall-windowsfeature
- https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware
author: yxinmiracle
date: 2025-08-22
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell_ISE.EXE'
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli_uninstall:
CommandLine|contains:
- 'Uninstall-WindowsFeature'
- 'Remove-WindowsFeature' # Only supported in Windows Server 2008 R2 and Windows 2012 R2
selection_cli_defender_feature:
CommandLine|contains: 'Windows-Defender'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded
Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.
Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.
As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.
view Sigma YAML
title: Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded
id: bdc64095-d59a-42a2-8588-71fd9c9d9abc
related:
- id: 0e277796-5f23-4e49-a490-483131d4f6e1 # Suspicious Loading
type: similar
status: test
description: |
Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.
Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.
As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.
references:
- https://learn.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump
- https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html
- https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6
author: Perez Diego (@darkquassar), oscd.community, Ecco
date: 2019-10-27
modified: 2022-12-09
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith:
- '\dbghelp.dll'
- '\dbgcore.dll'
Signed: 'false'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Unsigned Thor Scanner Execution
Detects loading and execution of an unsigned thor scanner binary.
view Sigma YAML
title: Suspicious Unsigned Thor Scanner Execution
id: ea5c131b-380d-49f9-aeb3-920694da4d4b
status: stable
description: Detects loading and execution of an unsigned thor scanner binary.
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-10-29
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith:
- '\thor.exe'
- '\thor64.exe'
ImageLoaded|endswith:
- '\thor.exe'
- '\thor64.exe'
filter_main:
Signed: 'true'
SignatureStatus: 'valid'
Signature: 'Nextron Systems GmbH'
condition: selection and not filter_main
falsepositives:
- Other legitimate binaries named "thor.exe" that aren't published by Nextron Systems
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Usage Of ShellExec_RunDLL
Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack
view Sigma YAML
title: Suspicious Usage Of ShellExec_RunDLL
id: d87bd452-6da1-456e-8155-7dc988157b7d
related:
- id: 36c5146c-d127-4f85-8e21-01bf62355d5a
type: obsolete
- id: 8823e85d-31d8-473e-b7f4-92da070f0fc6
type: similar
status: test
description: Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack
references:
- https://redcanary.com/blog/raspberry-robin/
- https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/
- https://github.com/SigmaHQ/sigma/issues/1009
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-01
modified: 2022-12-30
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection_openasrundll:
CommandLine|contains: 'ShellExec_RunDLL'
selection_suspcli:
CommandLine|contains:
# Note: The ordinal number may differ depending on the DLL version
- '\Desktop\'
- '\Temp\'
- '\Users\Public\'
- 'comspec'
- 'iex'
- 'Invoke-'
- 'msiexec'
- 'odbcconf'
- 'regsvr32'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Use of CSharp Interactive Console
Detects the execution of CSharp interactive console by PowerShell
view Sigma YAML
title: Suspicious Use of CSharp Interactive Console
id: a9e416a8-e613-4f8b-88b8-a7d1d1af2f61
status: test
description: Detects the execution of CSharp interactive console by PowerShell
references:
- https://redcanary.com/blog/detecting-attacks-leveraging-the-net-framework/
author: Michael R. (@nahamike01)
date: 2020-03-08
modified: 2022-07-14
tags:
- attack.execution
- attack.stealth
- attack.t1127
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\csi.exe'
ParentImage|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\powershell_ise.exe'
OriginalFileName: 'csi.exe'
condition: selection
falsepositives:
- Possible depending on environment. Pair with other factors such as net connections, command-line args, etc.
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious User Agent
Detects suspicious malformed user agent strings in proxy logs
view Sigma YAML
title: Suspicious User Agent
id: 7195a772-4b3f-43a4-a210-6a003d65caa1
status: test
description: Detects suspicious malformed user agent strings in proxy logs
references:
- https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb
author: Florian Roth (Nextron Systems)
date: 2017-07-08
modified: 2022-10-31
tags:
- attack.command-and-control
- attack.t1071.001
logsource:
category: proxy
detection:
selection1:
c-useragent|startswith:
- 'user-agent' # User-Agent: User-Agent:
- 'Mozilla/3.0 '
- 'Mozilla/2.0 '
- 'Mozilla/1.0 '
- 'Mozilla ' # missing slash
- ' Mozilla/' # leading space
- 'Mozila/' # single 'l'
- 'Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol' # https://twitter.com/NtSetDefault/status/1303643299509567488
selection2:
c-useragent|contains:
- ' (compatible;MSIE ' # typical typo - missing space
- '.0;Windows NT ' # typical typo - missing space
- 'loader' # https://twitter.com/securityonion/status/1522614635152744453?s=20&t=gHyPTSq5A27EqKwrCd9ohg
selection3:
c-useragent:
- '_'
- 'CertUtil URL Agent' # https://twitter.com/stvemillertime/status/985150675527974912
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)' # CobaltStrike Beacon https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
- 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0' # used by APT28 malware https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html
- 'HTTPS' # https://twitter.com/stvemillertime/status/1204437531632250880
- 'Erbium-UA-4ce7c27cb4be9d32e333bf032c88235a' # https://www.cyfirma.com/outofband/erbium-stealer-malware-report
- 'x' # Use by Racoon Stealer but could be something else
- 'xxx' # Use by Racoon Stealer but could be something else
falsepositives:
- c-useragent: 'Mozilla/3.0 * Acrobat *' # Acrobat with linked content
- cs-host|endswith: # Adobe product traffic, example: Mozilla/3.0 (compatible; Adobe Synchronizer 10.12.20000)
- '.acrobat.com'
- '.adobe.com'
- '.adobe.io'
condition: 1 of selection* and not falsepositives
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious VBScript UN2452 Pattern
Detects suspicious inline VBScript keywords as used by UNC2452
view Sigma YAML
title: Suspicious VBScript UN2452 Pattern
id: 20c3f09d-c53d-4e85-8b74-6aa50e2f1b61
status: test
description: Detects suspicious inline VBScript keywords as used by UNC2452
references:
- https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
author: Florian Roth (Nextron Systems)
date: 2021-03-05
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'Execute'
- 'CreateObject'
- 'RegRead'
- 'window.close'
- '\Microsoft\Windows\CurrentVersion'
filter:
CommandLine|contains: '\Software\Microsoft\Windows\CurrentVersion\Run'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Velociraptor Child Process
Detects the suspicious use of the Velociraptor DFIR tool to execute other tools or download additional payloads, as seen in a campaign where it was abused for remote access and to stage further attacks.
view Sigma YAML
title: Suspicious Velociraptor Child Process
id: 4bc90587-e6ca-4b41-be0b-ed4d04e4ed0c
status: experimental
description: Detects the suspicious use of the Velociraptor DFIR tool to execute other tools or download additional payloads, as seen in a campaign where it was abused for remote access and to stage further attacks.
references:
- https://news.sophos.com/en-us/2025/08/26/velociraptor-incident-response-tool-abused-for-remote-access/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-08-29
tags:
- attack.command-and-control
- attack.persistence
- attack.t1219
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\Velociraptor.exe'
selection_child_vscode_tunnel:
CommandLine|contains|all:
- 'code.exe'
- 'tunnel'
- '--accept-server-license-terms'
selection_child_msiexec:
CommandLine|contains|all:
- 'msiexec'
- '/i'
- 'http'
selection_child_powershell:
Image|endswith:
- '\powershell.exe'
- '\powershell_ise.exe'
- '\pwsh.exe'
CommandLine|contains:
- 'Invoke-WebRequest '
- 'IWR '
- '.DownloadFile'
- '.DownloadString'
# Add more child process patterns as needed
condition: selection_parent and 1 of selection_child_*
falsepositives:
- Legitimate administrators or incident responders might use Velociraptor to execute scripts or tools. However, the combination of Velociraptor spawning these specific processes with these command lines is suspicious. Tuning may be required to exclude known administrative actions or specific scripts.
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Volume Shadow Copy VSS_PS.dll Load
Detects the image load of vss_ps.dll by uncommon executables. This DLL is used by the Volume Shadow Copy Service (VSS) to manage shadow copies of files and volumes.
It is often abused by attackers to delete or manipulate shadow copies, which can hinder forensic investigations and data recovery efforts.
The fact that it is loaded by processes that are not typically associated with VSS operations can indicate suspicious activity.
view Sigma YAML
title: Suspicious Volume Shadow Copy VSS_PS.dll Load
id: 333cdbe8-27bb-4246-bf82-b41a0dca4b70
related:
- id: 48bfd177-7cf2-412b-ad77-baf923489e82 # vsstrace.dll
type: similar
- id: 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8 # vssapi.dll
type: similar
status: test
description: |
Detects the image load of vss_ps.dll by uncommon executables. This DLL is used by the Volume Shadow Copy Service (VSS) to manage shadow copies of files and volumes.
It is often abused by attackers to delete or manipulate shadow copies, which can hinder forensic investigations and data recovery efforts.
The fact that it is loaded by processes that are not typically associated with VSS operations can indicate suspicious activity.
references:
- https://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add
- https://twitter.com/am0nsec/status/1412232114980982787
author: Markus Neis, @markus_neis
date: 2021-07-07
modified: 2025-07-11
tags:
- attack.impact
- attack.t1490
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\vss_ps.dll'
filter_main_legit:
Image|startswith: 'C:\Windows\'
Image|endswith:
- '\clussvc.exe'
- '\dismhost.exe'
- '\dllhost.exe'
- '\inetsrv\appcmd.exe'
- '\inetsrv\iissetup.exe'
- '\msiexec.exe'
- '\rundll32.exe'
- '\searchindexer.exe'
- '\srtasks.exe'
- '\svchost.exe'
- '\System32\SystemPropertiesAdvanced.exe'
- '\taskhostw.exe'
- '\thor.exe'
- '\thor64.exe'
- '\tiworker.exe'
- '\vssvc.exe'
- '\vssadmin.exe'
- '\WmiPrvSE.exe'
- '\wsmprovhost.exe'
filter_main_update:
CommandLine|startswith: 'C:\$WinREAgent\Scratch\'
CommandLine|contains: '\dismhost.exe {'
filter_main_image_null:
Image: null
filter_optional_programfiles:
# When using this rule in your environment replace the "Program Files" folder by the exact applications you know use this. Examples would be software such as backup solutions
Image|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Volume Shadow Copy Vssapi.dll Load
Detects the image load of VSS DLL by uncommon executables
view Sigma YAML
title: Suspicious Volume Shadow Copy Vssapi.dll Load
id: 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8
related:
- id: 333cdbe8-27bb-4246-bf82-b41a0dca4b70 # vss_ps.dll
type: similar
- id: 48bfd177-7cf2-412b-ad77-baf923489e82 # vsstrace.dll
type: similar
status: test
description: Detects the image load of VSS DLL by uncommon executables
references:
- https://github.com/ORCx41/DeleteShadowCopies
author: frack113
date: 2022-10-31
modified: 2026-05-18
tags:
- attack.impact
- attack.t1490
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\vssapi.dll'
filter_main_windows:
- Image:
- 'C:\Windows\explorer.exe'
- 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
- Image|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\Temp\{' # Installers
- 'C:\Windows\WinSxS\'
- 'C:\$WinREAgent\Scratch\'
filter_main_program_files:
# When using this rule in your environment replace the "Program Files" folder by the exact applications you know use this. Examples would be software such as backup solutions
Image|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
filter_main_null_image:
Image: null
filter_optional_programdata_packagecache:
# The following filter is required because of many FPs cause by:
# C:\ProgramData\Package Cache\{10c6cfdc-27af-43fe-bbd3-bd20aae88451}\dotnet-sdk-3.1.425-win-x64.exe
# C:\ProgramData\Package Cache\{b9cfa33e-ace4-49f4-8bb4-82ded940990a}\windowsdesktop-runtime-6.0.11-win-x86.exe
# C:\ProgramData\Package Cache\{50264ff2-ad47-4569-abc4-1c350f285fb9}\aspnetcore-runtime-6.0.11-win-x86.exe
# C:\ProgramData\Package Cache\{2dcef8c3-1563-4149-a6ec-5b6c98500d7d}\dotnet-sdk-6.0.306-win-x64.exe
# etc.
Image|startswith: 'C:\ProgramData\Package Cache\'
filter_optional_avira:
Image|contains|all:
- '\temp\is-'
- '\avira_system_speedup.tmp'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious WMIC Execution Via Office Process
Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).
view Sigma YAML
title: Suspicious WMIC Execution Via Office Process
id: e1693bc8-7168-4eab-8718-cdcaa68a1738
related:
- id: 438025f9-5856-4663-83f7-52f878a70a50
type: derived
- id: 518643ba-7d9c-4fa5-9f37-baed36059f6a
type: obsolete
- id: 9d1c72f5-43f0-4da5-9320-648cf2099dd0
type: obsolete
- id: c0e1c3d5-4381-4f18-8145-2583f06a1fe5
type: obsolete
- id: 04f5363a-6bca-42ff-be70-0d28bf629ead
type: obsolete
status: test
description: Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
author: Vadim Khrykov, Cyb3rEng
date: 2021-08-23
modified: 2023-02-14
tags:
- attack.stealth
- attack.t1204.002
- attack.t1047
- attack.t1218.010
- attack.execution
logsource:
product: windows
category: process_creation
detection:
selection_parent:
ParentImage|endswith:
- '\WINWORD.EXE'
- '\EXCEL.EXE'
- '\POWERPNT.exe'
- '\MSPUB.exe'
- '\VISIO.exe'
- '\MSACCESS.EXE'
- '\EQNEDT32.EXE'
- '\ONENOTE.EXE'
- '\wordpad.exe'
- '\wordview.exe'
selection_wmic_img:
- Image|endswith: '\wbem\WMIC.exe'
- OriginalFileName: 'wmic.exe'
selection_wmic_cli:
CommandLine|contains|all:
- 'process'
- 'create'
- 'call'
CommandLine|contains:
# Add more suspicious LOLBINs as you see fit
- 'regsvr32'
- 'rundll32'
- 'msiexec'
- 'mshta'
- 'verclsid'
- 'wscript'
- 'cscript'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious WebDav Client Execution Via Rundll32.EXE
Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397
view Sigma YAML
title: Suspicious WebDav Client Execution Via Rundll32.EXE
id: 982e9f2d-1a85-4d5b-aea4-31f5e97c6555
status: test
description: |
Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397
references:
- https://twitter.com/aceresponder/status/1636116096506818562
- https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/
- https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/
- https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png
- https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/
author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
date: 2023-03-16
modified: 2023-09-18
tags:
- attack.exfiltration
- attack.t1048.003
- cve.2023-23397
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\svchost.exe'
ParentCommandLine|contains: '-s WebClient'
Image|endswith: '\rundll32.exe'
CommandLine|contains: 'C:\windows\system32\davclnt.dll,DavSetCookie'
CommandLine|re: '://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'
filter_local_ips:
CommandLine|contains:
- '://10.' # 10.0.0.0/8
- '://192.168.' # 192.168.0.0/16
- '://172.16.' # 172.16.0.0/12
- '://172.17.'
- '://172.18.'
- '://172.19.'
- '://172.20.'
- '://172.21.'
- '://172.22.'
- '://172.23.'
- '://172.24.'
- '://172.25.'
- '://172.26.'
- '://172.27.'
- '://172.28.'
- '://172.29.'
- '://172.30.'
- '://172.31.'
- '://127.' # 127.0.0.0/8
- '://169.254.' # 169.254.0.0/16
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Suspicious Windows ANONYMOUS LOGON Local Account Created
Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.
view Sigma YAML
title: Suspicious Windows ANONYMOUS LOGON Local Account Created
id: 1bbf25b9-8038-4154-a50b-118f2a32be27
status: test
description: Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.
references:
- https://twitter.com/SBousseaden/status/1189469425482829824
author: James Pemberton / @4A616D6573
date: 2019-10-31
modified: 2022-10-09
tags:
- attack.persistence
- attack.t1136.001
- attack.t1136.002
logsource:
product: windows
service: security
detection:
selection:
EventID: 4720
SamAccountName|contains|all:
- 'ANONYMOUS'
- 'LOGON'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Windows Defender Registry Key Tampering Via Reg.EXE
Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection
view Sigma YAML
title: Suspicious Windows Defender Registry Key Tampering Via Reg.EXE
id: 452bce90-6fb0-43cc-97a5-affc283139b3
status: test
description: |
Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection
references:
- https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/
- https://github.com/swagkarna/Defeat-Defender-V1.2.0/tree/ae4059c4276da6f6303b8f53cdff085ecae88a91
- https://www.elevenforum.com/t/video-guide-how-to-completely-disable-microsoft-defender-antivirus.14608/page-2
- https://tria.ge/241231-j9yatstqbm/behavioral1
author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems)
date: 2022-03-22
modified: 2025-06-04
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_root_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_root_path:
CommandLine|contains:
- 'SOFTWARE\Microsoft\Windows Defender\'
- 'SOFTWARE\Policies\Microsoft\Windows Defender Security Center'
- 'SOFTWARE\Policies\Microsoft\Windows Defender\'
selection_dword_0:
CommandLine|contains|all:
- ' add '
- 'd 0'
CommandLine|contains:
- 'DisallowExploitProtectionOverride'
- 'EnableControlledFolderAccess'
- 'MpEnablePus'
- 'PUAProtection'
- 'SpynetReporting'
- 'SubmitSamplesConsent'
- 'TamperProtection'
selection_dword_1:
CommandLine|contains|all:
- ' add '
- 'd 1'
CommandLine|contains:
- 'DisableAccess'
- 'DisableAntiSpyware'
- 'DisableAntiSpywareRealtimeProtection'
- 'DisableAntiVirus'
- 'DisableAntiVirusSignatures'
- 'DisableArchiveScanning'
- 'DisableBehaviorMonitoring'
- 'DisableBlockAtFirstSeen'
- 'DisableCloudProtection'
- 'DisableConfig'
- 'DisableEnhancedNotifications'
- 'DisableIntrusionPreventionSystem'
- 'DisableIOAVProtection'
- 'DisableNetworkProtection'
- 'DisableOnAccessProtection'
- 'DisablePrivacyMode'
- 'DisableRealtimeMonitoring'
- 'DisableRoutinelyTakingAction'
- 'DisableScanOnRealtimeEnable'
- 'DisableScriptScanning'
- 'DisableSecurityCenter'
- 'Notification_Suppress'
- 'SignatureDisableUpdateOnStartupWithoutEngine'
condition: all of selection_root_* and 1 of selection_dword_*
falsepositives:
- Rare legitimate use by administrators to test software (should always be investigated)
level: high
Convert to SIEM query
high
Strong
High FP
Suspicious Windows Service Tampering
Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts
view Sigma YAML
title: Suspicious Windows Service Tampering
id: ce72ef99-22f1-43d4-8695-419dcb5d9330
related:
- id: eb87818d-db5d-49cc-a987-d5da331fbd90
type: obsolete
- id: 6783aa9e-0dc3-49d4-a94a-8b39c5fd700b
type: obsolete
- id: 7fd4bb39-12d0-45ab-bb36-cebabc73dc7b
type: obsolete
status: test
description: |
Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts
references:
- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg
- https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
- https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
- https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955
- https://learn.microsoft.com/en-us/windows/win32/cimwin32prov/delete-method-in-class-win32-service
author: Nasreddine Bencherchali (Nextron Systems), frack113 , X__Junior (Nextron Systems)
date: 2022-09-01
modified: 2025-08-27
tags:
- attack.impact
- attack.defense-impairment
- attack.t1489
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_tools_img:
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
- 'PowerShell_ISE.EXE'
- 'PowerShell.EXE'
- 'psservice.exe'
- 'pwsh.dll'
- 'sc.exe'
- 'wmic.exe'
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- '\PowerShell_ISE.EXE'
- '\powershell.exe'
- '\PsService.exe'
- '\PsService64.exe'
- '\pwsh.exe'
- '\sc.exe'
- '\wmic.exe' # wmic process call win32_service where name='servicename' delete
selection_tools_cli:
- CommandLine|contains:
- ' delete '
- '.delete()' # Get-WmiObject win32_service -Filter "name='$serviceName'" ).delete()
- ' pause ' # Covers flags from: PsService and Sc.EXE
- ' stop ' # Covers flags from: PsService.EXE, Net.EXE and Sc.EXE
- 'Stop-Service '
- 'Remove-Service '
- CommandLine|contains|all:
- 'config'
- 'start=disabled'
selection_services:
CommandLine|contains:
- '143Svc'
- 'Acronis VSS Provider'
- 'AcronisAgent'
- 'AcrSch2Svc'
- 'AdobeARMservice'
- 'AHS Service'
- 'Antivirus'
- 'Apache4'
- 'ARSM'
- 'aswBcc'
- 'AteraAgent'
- 'Avast Business Console Client Antivirus Service'
- 'avast! Antivirus'
- 'AVG Antivirus'
- 'avgAdminClient'
- 'AvgAdminServer'
- 'AVP1'
- 'BackupExec'
- 'bedbg'
- 'BITS'
- 'BrokerInfrastructure'
- 'CASLicenceServer'
- 'CASWebServer'
- 'Client Agent 7.60'
- 'Core Browsing Protection'
- 'Core Mail Protection'
- 'Core Scanning Server'
- 'DCAgent'
- 'dwmrcs'
- 'EhttpSr'
- 'ekrn'
- 'Enterprise Client Service'
- 'epag'
- 'EPIntegrationService'
- 'EPProtectedService'
- 'EPRedline'
- 'EPSecurityService'
- 'EPUpdateService'
- 'EraserSvc11710'
- 'EsgShKernel'
- 'ESHASRV'
- 'FA_Scheduler'
- 'FirebirdGuardianDefaultInstance'
- 'FirebirdServerDefaultInstance'
- 'FontCache3.0.0.0'
- 'HealthTLService'
- 'hmpalertsvc'
- 'HMS'
- 'HostControllerService'
- 'hvdsvc'
- 'IAStorDataMgrSvc'
- 'IBMHPS'
- 'ibmspsvc'
- 'IISAdmin'
- 'IMANSVC'
- 'IMAP4Svc'
- 'instance2'
- 'KAVFS'
- 'KAVFSGT'
- 'kavfsslp'
- 'KeyIso'
- 'klbackupdisk'
- 'klbackupflt'
- 'klflt'
- 'klhk'
- 'KLIF'
- 'klim6'
- 'klkbdflt'
- 'klmouflt'
- 'klnagent'
- 'klpd'
- 'kltap'
- 'KSDE1.0.0'
- 'LogProcessorService'
- 'M8EndpointAgent'
- 'macmnsvc'
- 'masvc'
- 'MBAMService'
- 'MBCloudEA'
- 'MBEndpointAgent'
- 'McAfeeDLPAgentService'
- 'McAfeeEngineService'
- 'MCAFEEEVENTPARSERSRV'
- 'McAfeeFramework'
- 'MCAFEETOMCATSRV530'
- 'McShield'
- 'McTaskManager'
- 'mfefire'
- 'mfemms'
- 'mfevto'
- 'mfevtp'
- 'mfewc'
- 'MMS'
- 'mozyprobackup'
- 'mpssvc'
- 'MSComplianceAudit'
- 'MSDTC'
- 'MsDtsServer'
- 'MSExchange'
- 'msftesq1SPROO'
- 'msftesql$PROD'
- 'msftesql$SQLEXPRESS'
- 'MSOLAP$SQL_2008'
- 'MSOLAP$SYSTEM_BGC'
- 'MSOLAP$TPS'
- 'MSOLAP$TPSAMA'
- 'MSOLAPSTPS'
- 'MSOLAPSTPSAMA'
- 'mssecflt'
- 'MSSQ!I.SPROFXENGAGEMEHT'
- 'MSSQ0SHAREPOINT'
- 'MSSQ0SOPHOS'
- 'MSSQL'
- 'MSSQLFDLauncher$'
- 'MySQL'
- 'NanoServiceMain'
- 'NetMsmqActivator'
- 'NetPipeActivator'
- 'netprofm'
- 'NetTcpActivator'
- 'NetTcpPortSharing'
- 'ntrtscan'
- 'nvspwmi'
- 'ofcservice'
- 'Online Protection System'
- 'OracleClientCache80'
- 'OracleDBConsole'
- 'OracleMTSRecoveryService'
- 'OracleOraDb11g_home1'
- 'OracleService'
- 'OracleVssWriter'
- 'osppsvc'
- 'PandaAetherAgent'
- 'PccNTUpd'
- 'PDVFSService'
- 'POP3Svc'
- 'postgresql-x64-9.4'
- 'POVFSService'
- 'PSUAService'
- 'Quick Update Service'
- 'RepairService'
- 'ReportServer'
- 'ReportServer$'
- 'RESvc'
- 'RpcEptMapper'
- 'sacsvr'
- 'SamSs'
- 'SAVAdminService'
- 'SAVService'
- 'ScSecSvc'
- 'SDRSVC'
- 'SearchExchangeTracing'
- 'sense'
- 'SentinelAgent'
- 'SentinelHelperService'
- 'SepMasterService'
- 'ShMonitor'
- 'Smcinst'
- 'SmcService'
- 'SMTPSvc'
- 'SNAC'
- 'SntpService'
- 'Sophos'
- 'SQ1SafeOLRService'
- 'SQL Backups'
- 'SQL Server'
- 'SQLAgent'
- 'SQLANYs_Sage_FAS_Fixed_Assets'
- 'SQLBrowser'
- 'SQLsafe'
- 'SQLSERVERAGENT'
- 'SQLTELEMETRY'
- 'SQLWriter'
- 'SSISTELEMETRY130'
- 'SstpSvc'
- 'storflt'
- 'svcGenericHost'
- 'swc_service'
- 'swi_filter'
- 'swi_service'
- 'swi_update'
- 'Symantec'
- 'sysmon'
- 'TeamViewer'
- 'Telemetryserver'
- 'ThreatLockerService'
- 'TMBMServer'
- 'TmCCSF'
- 'TmFilter'
- 'TMiCRCScanService'
- 'tmlisten'
- 'TMLWCSService'
- 'TmPfw'
- 'TmPreFilter'
- 'TmProxy'
- 'TMSmartRelayService'
- 'tmusa'
- 'Tomcat'
- 'Trend Micro Deep Security Manager'
- 'TrueKey'
- 'UFNet'
- 'UI0Detect'
- 'UniFi'
- 'UTODetect'
- 'vds'
- 'Veeam'
- 'VeeamDeploySvc'
- 'Veritas System Recovery'
- 'vmic'
- 'VMTools'
- 'vmvss'
- 'VSApiNt'
- 'VSS'
- 'W3Svc'
- 'wbengine'
- 'WdNisSvc'
- 'WeanClOudSve'
- 'Weems JY'
- 'WinDefend'
- 'wmms'
- 'wozyprobackup'
- 'WPFFontCache_v0400'
- 'WRSVC'
- 'wsbexchange'
- 'WSearch'
- 'wscsvc'
- 'Zoolz 2 Service'
condition: all of selection_*
falsepositives:
- Administrators or tools shutting down the services due to upgrade or removal purposes. If you experience some false positive, please consider adding filters to the parent process launching this command and not removing the entry
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Windows Strings In URI
Detects suspicious Windows strings in URI which could indicate possible exfiltration or webshell communication
view Sigma YAML
title: Suspicious Windows Strings In URI
id: 9f6a34b4-2688-4eb7-a7f5-e39fef573d0e
status: test
description: Detects suspicious Windows strings in URI which could indicate possible exfiltration or webshell communication
references:
- https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-06
modified: 2023-01-02
tags:
- attack.persistence
- attack.exfiltration
- attack.t1505.003
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- '=C:/Users'
- '=C:/Program%20Files'
- '=C:/Windows'
- '=C%3A%5CUsers'
- '=C%3A%5CProgram%20Files'
- '=C%3A%5CWindows'
condition: selection
falsepositives:
- Legitimate application and websites that use windows paths in their URL
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Windows Trace ETW Session Tamper Via Logman.EXE
Detects the execution of "logman" utility in order to disable or delete Windows trace sessions
view Sigma YAML
title: Suspicious Windows Trace ETW Session Tamper Via Logman.EXE
id: cd1f961e-0b96-436b-b7c6-38da4583ec00
status: test
description: Detects the execution of "logman" utility in order to disable or delete Windows trace sessions
references:
- https://twitter.com/0gtweet/status/1359039665232306183?s=21
- https://ss64.com/nt/logman.html
author: Florian Roth (Nextron Systems)
date: 2021-02-11
modified: 2023-02-21
tags:
- attack.defense-impairment
- attack.t1685
- attack.t1685.005
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\logman.exe'
- OriginalFileName: 'Logman.exe'
selection_action:
CommandLine|contains:
- 'stop '
- 'delete '
selection_service:
CommandLine|contains:
- 'Circular Kernel Context Logger'
- 'EventLog-' # Cover multiple traces starting with EventLog-*
- 'SYSMON TRACE'
- 'SysmonDnsEtwSession'
condition: all of selection*
falsepositives:
- Legitimate deactivation by administrative staff
- Installer tools that disable services, e.g. before log collection agent installation
level: high
Convert to SIEM query
high
Moderate
High FP
Suspicious Windows Update Agent Empty Cmdline
Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags
view Sigma YAML
title: Suspicious Windows Update Agent Empty Cmdline
id: 52d097e2-063e-4c9c-8fbb-855c8948d135
status: test
description: |
Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags
references:
- https://redcanary.com/blog/blackbyte-ransomware/
author: Florian Roth (Nextron Systems)
date: 2022-02-26
modified: 2023-11-11
tags:
- attack.stealth
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\Wuauclt.exe'
- OriginalFileName: 'Wuauclt.exe'
selection_cli:
CommandLine|endswith:
- 'Wuauclt'
- 'Wuauclt.exe'
condition: all of selection*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious WmiPrvSE Child Process
Detects suspicious and uncommon child processes of WmiPrvSE
view Sigma YAML
title: Suspicious WmiPrvSE Child Process
id: 8a582fe2-0882-4b89-a82a-da6b2dc32937
related:
- id: 692f0bec-83ba-4d04-af7e-e884a96059b6
type: similar
- id: d21374ff-f574-44a7-9998-4a8c8bf33d7d
type: similar
- id: 18cf6cf0-39b0-4c22-9593-e244bdc9a2d4
type: obsolete
status: test
description: Detects suspicious and uncommon child processes of WmiPrvSE
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
- https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/
- https://twitter.com/ForensicITGuy/status/1334734244120309760
author: Vadim Khrykov (ThreatIntel), Cyb3rEng, Florian Roth (Nextron Systems)
date: 2021-08-23
modified: 2023-11-10
tags:
- attack.execution
- attack.stealth
- attack.t1047
- attack.t1204.002
- attack.t1218.010
logsource:
product: windows
category: process_creation
detection:
selection_parent:
ParentImage|endswith: '\wbem\WmiPrvSE.exe'
selection_children_1:
# TODO: Add more LOLBINs or suspicious processes that make sens in your environment
Image|endswith:
- '\certutil.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\msiexec.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\verclsid.exe'
- '\wscript.exe'
selection_children_2:
# This is in a separate selection due to the nature of FP generated with CMD
Image|endswith: '\cmd.exe'
CommandLine|contains:
- 'cscript'
- 'mshta'
- 'powershell'
- 'pwsh'
- 'regsvr32'
- 'rundll32'
- 'wscript'
filter_main_werfault:
Image|endswith: '\WerFault.exe'
filter_main_wmiprvse:
Image|endswith: '\WmiPrvSE.exe' # In some legitimate case WmiPrvSE was seen spawning itself
filter_main_msiexec:
Image|endswith: '\msiexec.exe'
CommandLine|contains: '/i '
condition: selection_parent and 1 of selection_children_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Suspicious Word Cab File Write CVE-2021-40444
Detects file creation patterns noticeable during the exploitation of CVE-2021-40444
view Sigma YAML
title: Suspicious Word Cab File Write CVE-2021-40444
id: 60c0a111-787a-4e8a-9262-ee485f3ef9d5
status: test
description: Detects file creation patterns noticeable during the exploitation of CVE-2021-40444
references:
- https://twitter.com/RonnyTNL/status/1436334640617373699?s=20
- https://twitter.com/vanitasnk/status/1437329511142420483?s=21
author: Florian Roth (Nextron Systems), Sittikorn S
date: 2021-09-10
modified: 2023-06-22
tags:
- attack.resource-development
- attack.t1587
- detection.emerging-threats
logsource:
product: windows
category: file_event
detection:
selection_cab:
Image|endswith: '\winword.exe'
TargetFilename|contains: '\Windows\INetCache'
TargetFilename|endswith: '.cab'
selection_inf:
Image|endswith: '\winword.exe'
TargetFilename|contains|all:
- '\AppData\Local\Temp\'
- '.inf'
filter_main_legit:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|contains: 'AppData\Local\Temp'
TargetFilename|endswith: '\Content.inf'
condition: 1 of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
Showing 1651-1700 of 3,750