Tool
SIEM
Sigma (generic) detection rules
3,750 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Expand any rule to see its raw YAML and convert it inline to native query syntax. Pick a platform above to browse every rule already rendered in that language.
Get the raw rules from SigmaHQ Detection Rules
The raw generic YAML, served by SigmaHQ. Pick a platform above to download a ready-to-deploy converted pack.
Filter by techniquepick techniques from the ATT&CK matrix
Reconnaissance12
Resource Development10
Initial Access10
Execution30
Persistence43
Privilege Escalation20
Stealth83
Defense Impairment32
Credential Access35
Discovery33
Lateral Movement16
Collection20
Command and Control24
Exfiltration10
Impact18
Using these Sigma rules
Deploy. Pick your SIEM above and paste the rendered query straight into a saved search or detection rule, or expand any rule to convert its generic YAML inline to the language you run.
Adapt. Map the field names to your log schema - Sigma assumes a normalised taxonomy - and tune thresholds and timeframes to your own baseline before you trust the alert.
Validate. Every rule is mapped to ATT&CK, so run the matching Atomic Red Team test on /atomic to confirm the rule actually fires before you rely on it.
Judge. Each rule shows a quality tier (Strong / Moderate / Basic) and an estimated alert-volume tier (Low / Medium / High FP), both scored deterministically from the rule's shape - status, detection depth, match breadth, log source, documented false positives and references. A rule existing is not the same as a rule being good, or being quiet; hover either tier for the breakdown. The FP estimate reads rule shape, not a measured rate, so use it to pick what to tune first before you deploy.
◈
Detection rules
50 shown of 3,750
high
Moderate
Medium FP
UAC Bypass Using Consent and Comctl32 - File
Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
view Sigma YAML
title: UAC Bypass Using Consent and Comctl32 - File
id: 62ed5b55-f991-406a-85d9-e8e8fdf18789
status: test
description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|startswith: 'C:\Windows\System32\consent.exe.@'
TargetFilename|endswith: '\comctl32.dll'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass Using Consent and Comctl32 - Process
Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
view Sigma YAML
title: UAC Bypass Using Consent and Comctl32 - Process
id: 1ca6bd18-0ba0-44ca-851c-92ed89a61085
status: test
description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\consent.exe'
Image|endswith: '\werfault.exe'
IntegrityLevel:
- 'High'
- 'System'
- 'S-1-16-16384' # System
- 'S-1-16-12288' # High
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass Using Disk Cleanup
Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)
view Sigma YAML
title: UAC Bypass Using Disk Cleanup
id: b697e69c-746f-4a86-9f59-7bfff8eab881
status: test
description: Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|endswith: '"\system32\cleanmgr.exe /autoclean /d C:'
ParentCommandLine: 'C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule'
IntegrityLevel:
- 'High'
- 'System'
- 'S-1-16-16384' # System
- 'S-1-16-12288' # High
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass Using DismHost
Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)
view Sigma YAML
title: UAC Bypass Using DismHost
id: 853e74f9-9392-4935-ad3b-2e8c040dae86
status: test
description: Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|contains|all:
- 'C:\Users\'
- '\AppData\Local\Temp\'
- '\DismHost.exe'
IntegrityLevel:
- 'High'
- 'System'
- 'S-1-16-16384' # System
- 'S-1-16-12288' # High
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
UAC Bypass Using Event Viewer RecentViews
Detects the pattern of UAC Bypass using Event Viewer RecentViews
view Sigma YAML
title: UAC Bypass Using Event Viewer RecentViews
id: 30fc8de7-d833-40c4-96b6-28319fbc4f6c
related:
- id: 63e4f530-65dc-49cc-8f80-ccfa95c69d43
type: similar
status: test
description: Detects the pattern of UAC Bypass using Event Viewer RecentViews
references:
- https://twitter.com/orange_8361/status/1518970259868626944
- https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-22
tags:
- attack.privilege-escalation
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection_path:
# Example: ysoserial.exe -o raw -f BinaryFormatter - g DataSet -c calc > RecentViews & copy RecentViews %LOCALAPPDATA%\Microsoft\EventV~1\RecentViews & eventvwr.exe
CommandLine|contains:
- '\Event Viewer\RecentViews'
- '\EventV~1\RecentViews'
selection_redirect:
CommandLine|contains: '>'
condition: all of selection_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass Using EventVwr
Detects the pattern of a UAC bypass using Windows Event Viewer
view Sigma YAML
title: UAC Bypass Using EventVwr
id: 63e4f530-65dc-49cc-8f80-ccfa95c69d43
status: test
description: Detects the pattern of a UAC bypass using Windows Event Viewer
references:
- https://twitter.com/orange_8361/status/1518970259868626944?s=20&t=RFXqZjtA7tWM3HxqEH78Aw
- https://twitter.com/splinter_code/status/1519075134296006662?s=12&t=DLUXH86WtcmG_AZ5gY3C6g
- https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute
author: Antonio Cocomazzi (idea), Florian Roth (Nextron Systems)
date: 2022-04-27
modified: 2022-11-22
tags:
- attack.privilege-escalation
- attack.stealth
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith:
# Removed the start just in case the logging backend doesn't expand ENV variables when they're used
- '\Microsoft\Event Viewer\RecentViews'
- '\Microsoft\EventV~1\RecentViews'
filter:
Image|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass Using IDiagnostic Profile
Detects the "IDiagnosticProfileUAC" UAC bypass technique
view Sigma YAML
title: UAC Bypass Using IDiagnostic Profile
id: 4cbef972-f347-4170-b62a-8253f6168e6d
status: test
description: Detects the "IDiagnosticProfileUAC" UAC bypass technique
references:
- https://github.com/Wh04m1001/IDiagnosticProfileUAC
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-03
modified: 2024-12-01
tags:
- attack.execution
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\DllHost.exe'
ParentCommandLine|contains: ' /Processid:{12C21EA7-2EB8-4B55-9249-AC243DA8C666}'
IntegrityLevel:
- 'High'
- 'System'
- 'S-1-16-16384' # System
- 'S-1-16-12288' # High
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
UAC Bypass Using IDiagnostic Profile - File
Detects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique
view Sigma YAML
title: UAC Bypass Using IDiagnostic Profile - File
id: 48ea844d-19b1-4642-944e-fe39c2cc1fec
status: test
description: Detects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique
references:
- https://github.com/Wh04m1001/IDiagnosticProfileUAC
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-03
tags:
- attack.execution
- attack.privilege-escalation
- attack.t1548.002
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '\DllHost.exe'
TargetFilename|startswith: 'C:\Windows\System32\'
TargetFilename|endswith: '.dll'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass Using IEInstal - File
Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
view Sigma YAML
title: UAC Bypass Using IEInstal - File
id: bdd8157d-8e85-4397-bb82-f06cc9c71dbb
status: test
description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: file_event
product: windows
detection:
selection:
Image: 'C:\Program Files\Internet Explorer\IEInstal.exe'
TargetFilename|startswith: 'C:\Users\'
TargetFilename|contains: '\AppData\Local\Temp\'
TargetFilename|endswith: 'consent.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass Using IEInstal - Process
Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
view Sigma YAML
title: UAC Bypass Using IEInstal - Process
id: 80fc36aa-945e-4181-89f2-2f907ab6775d
status: test
description: Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection:
IntegrityLevel:
- 'High'
- 'System'
- 'S-1-16-16384' # System
- 'S-1-16-12288' # High
ParentImage|endswith: '\ieinstal.exe'
Image|contains: '\AppData\Local\Temp\'
Image|endswith: 'consent.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass Using Iscsicpl - ImageLoad
Detects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%
view Sigma YAML
title: UAC Bypass Using Iscsicpl - ImageLoad
id: 9ed5959a-c43c-4c59-84e3-d28628429456
status: test
description: Detects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%
references:
- https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC
- https://twitter.com/wdormann/status/1547583317410607110
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-17
modified: 2022-07-25
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
product: windows
category: image_load
detection:
selection:
Image: C:\Windows\SysWOW64\iscsicpl.exe
ImageLoaded|endswith: '\iscsiexe.dll'
filter:
ImageLoaded|contains|all:
- 'C:\Windows\'
- 'iscsiexe.dll'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass Using MSConfig Token Modification - File
Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
view Sigma YAML
title: UAC Bypass Using MSConfig Token Modification - File
id: 41bb431f-56d8-4691-bb56-ed34e390906f
status: test
description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|endswith: '\AppData\Local\Temp\pkgmgr.exe'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass Using MSConfig Token Modification - Process
Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
view Sigma YAML
title: UAC Bypass Using MSConfig Token Modification - Process
id: ad92e3f9-7eb6-460e-96b1-582b0ccbb980
status: test
description: Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection:
IntegrityLevel:
- 'High'
- 'System'
- 'S-1-16-16384' # System
- 'S-1-16-12288' # High
ParentImage|endswith: '\AppData\Local\Temp\pkgmgr.exe'
CommandLine: '"C:\Windows\system32\msconfig.exe" -5'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass Using NTFS Reparse Point - File
Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
view Sigma YAML
title: UAC Bypass Using NTFS Reparse Point - File
id: 7fff6773-2baa-46de-a24a-b6eec1aba2d1
status: test
description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|endswith: '\AppData\Local\Temp\api-ms-win-core-kernel32-legacy-l1.DLL'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
UAC Bypass Using NTFS Reparse Point - Process
Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
view Sigma YAML
title: UAC Bypass Using NTFS Reparse Point - Process
id: 39ed3c80-e6a1-431b-9df3-911ac53d08a7
status: test
description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|startswith: '"C:\Windows\system32\wusa.exe" /quiet C:\Users\'
CommandLine|endswith: '\AppData\Local\Temp\update.msu'
IntegrityLevel:
- 'High'
- 'System'
- 'S-1-16-16384' # System
- 'S-1-16-12288' # High
selection2:
ParentCommandLine: '"C:\Windows\system32\dism.exe" /online /quiet /norestart /add-package /packagepath:"C:\Windows\system32\pe386" /ignorecheck'
IntegrityLevel:
- 'High'
- 'System'
CommandLine|contains|all:
- 'C:\Users\'
- '\AppData\Local\Temp\'
- '\dismhost.exe {'
Image|endswith: '\DismHost.exe'
condition: 1 of selection*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass Using PkgMgr and DISM
Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)
view Sigma YAML
title: UAC Bypass Using PkgMgr and DISM
id: a743ceba-c771-4d75-97eb-8a90f7f4844c
status: test
description: Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\pkgmgr.exe'
Image|endswith: '\dism.exe'
IntegrityLevel:
- 'High'
- 'System'
- 'S-1-16-16384' # System
- 'S-1-16-12288' # High
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass Using WOW64 Logger DLL Hijack
Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)
view Sigma YAML
title: UAC Bypass Using WOW64 Logger DLL Hijack
id: 4f6c43e2-f989-4ea5-bcd8-843b49a0317c
status: test
description: Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: process_access
product: windows
detection:
selection:
SourceImage|contains: ':\Windows\SysWOW64\'
GrantedAccess: '0x1fffff'
CallTrace|startswith: 'UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass Using Windows Media Player - File
Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
view Sigma YAML
title: UAC Bypass Using Windows Media Player - File
id: 68578b43-65df-4f81-9a9b-92f32711a951
status: test
description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: file_event
product: windows
detection:
selection1:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|endswith: '\AppData\Local\Temp\OskSupport.dll'
selection2:
Image: 'C:\Windows\system32\DllHost.exe'
TargetFilename: 'C:\Program Files\Windows Media Player\osk.exe'
condition: 1 of selection*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass Using Windows Media Player - Process
Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
view Sigma YAML
title: UAC Bypass Using Windows Media Player - Process
id: 0058b9e5-bcd7-40d4-9205-95ca5a16d7b2
status: test
description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection_img_1:
Image: 'C:\Program Files\Windows Media Player\osk.exe'
selection_img_2:
Image: 'C:\Windows\System32\cmd.exe'
ParentCommandLine: '"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s'
selection_integrity:
IntegrityLevel:
- 'High'
- 'System'
- 'S-1-16-16384' # System
- 'S-1-16-12288' # High
condition: 1 of selection_img_* and selection_integrity
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass Using Windows Media Player - Registry
Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
view Sigma YAML
title: UAC Bypass Using Windows Media Player - Registry
id: 5f9db380-ea57-4d1e-beab-8a2d33397e93
status: test
description: Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
references:
- https://github.com/hfiref0x/UACME
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\Windows Media Player\osk.exe'
Details: 'Binary Data'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
UAC Bypass Via Wsreset
Unfixed method for UAC bypass from Windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.
view Sigma YAML
title: UAC Bypass Via Wsreset
id: 6ea3bf32-9680-422d-9f50-e90716b12a66
status: test
description: Unfixed method for UAC bypass from Windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.
references:
- https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly
- https://lolbas-project.github.io/lolbas/Binaries/Wsreset
author: oscd.community, Dmitry Uchakin
date: 2020-10-07
modified: 2021-11-27
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|endswith: '\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass WSReset
Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config
view Sigma YAML
title: UAC Bypass WSReset
id: 89a9a0e0-f61a-42e5-8957-b1479565a658
status: test
description: Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config
references:
- https://lolbas-project.github.io/lolbas/Binaries/Wsreset/
- https://github.com/hfiref0x/UACME
- https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf
author: Christian Burkard (Nextron Systems)
date: 2021-08-23
modified: 2024-12-01
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\wsreset.exe'
IntegrityLevel:
- 'High'
- 'System'
- 'S-1-16-16384' # System
- 'S-1-16-12288' # High
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
UAC Bypass With Fake DLL
Attempts to load dismcore.dll after dropping it
view Sigma YAML
title: UAC Bypass With Fake DLL
id: a5ea83a7-05a5-44c1-be2e-addccbbd8c03
status: test
description: Attempts to load dismcore.dll after dropping it
references:
- https://steemit.com/utopian-io/@ah101/uac-bypassing-utility
author: oscd.community, Dmitry Uchakin
date: 2020-10-06
modified: 2022-12-25
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1548.002
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\dism.exe'
ImageLoaded|endswith: '\dismcore.dll'
filter:
ImageLoaded: 'C:\Windows\System32\Dism\dismcore.dll'
condition: selection and not filter
falsepositives:
- Actions of a legitimate telnet client
level: high
Convert to SIEM query
high
Moderate
High FP
UAC Bypass via Event Viewer
Detects UAC bypass method using Windows event viewer
view Sigma YAML
title: UAC Bypass via Event Viewer
id: 7c81fec3-1c1d-43b0-996a-46753041b1b6
status: test
description: Detects UAC bypass method using Windows event viewer
references:
- https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
- https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100
author: Florian Roth (Nextron Systems)
date: 2017-03-19
modified: 2023-09-28
tags:
- attack.privilege-escalation
- attack.t1548.002
- car.2019-04-001
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|endswith: '\mscfile\shell\open\command'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
UAC Bypass via ICMLuaUtil
Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface
view Sigma YAML
title: UAC Bypass via ICMLuaUtil
id: 49f2f17b-b4c8-4172-a68b-d5bf95d05130
status: test
description: Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface
references:
- https://www.elastic.co/guide/en/security/current/uac-bypass-via-icmluautil-elevated-com-interface.html
author: Florian Roth (Nextron Systems), Elastic (idea)
date: 2022-09-13
modified: 2022-09-27
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\dllhost.exe'
ParentCommandLine|contains:
- '/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}'
- '/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}'
filter:
- Image|endswith: '\WerFault.exe'
- OriginalFileName: 'WerFault.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UAC Bypass via Sdclt
Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)
view Sigma YAML
title: UAC Bypass via Sdclt
id: 5b872a46-3b90-45c1-8419-f675db8053aa
status: test
description: Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)
references:
- https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/
- https://github.com/hfiref0x/UACME
author: Omer Yampel, Christian Burkard (Nextron Systems)
date: 2017-03-17
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.t1548.002
- car.2019-04-001
logsource:
category: registry_set
product: windows
detection:
selection1:
TargetObject|endswith: 'Software\Classes\exefile\shell\runas\command\isolatedCommand'
selection2:
TargetObject|endswith: 'Software\Classes\Folder\shell\open\command\SymbolicLinkValue'
Details|re: '-1[0-9]{3}\\Software\\Classes\\'
condition: 1 of selection*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UEFI Persistence Via Wpbbin - FileCreation
Detects creation of a file named "wpbbin" in the "%systemroot%\system32\" directory. Which could be indicative of UEFI based persistence method
view Sigma YAML
title: UEFI Persistence Via Wpbbin - FileCreation
id: e94b9ddc-eec5-4bb8-8a58-b9dc5f4e185f
status: test
description: Detects creation of a file named "wpbbin" in the "%systemroot%\system32\" directory. Which could be indicative of UEFI based persistence method
references:
- https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c
- https://persistence-info.github.io/Data/wpbbin.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-18
tags:
- attack.persistence
- attack.stealth
- attack.t1542.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename: 'C:\Windows\System32\wpbbin.exe'
condition: selection
falsepositives:
- Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)
level: high
Convert to SIEM query
high
Moderate
Medium FP
UEFI Persistence Via Wpbbin - ProcessCreation
Detects execution of the binary "wpbbin" which is used as part of the UEFI based persistence method described in the reference section
view Sigma YAML
title: UEFI Persistence Via Wpbbin - ProcessCreation
id: 4abc0ec4-db5a-412f-9632-26659cddf145
status: test
description: Detects execution of the binary "wpbbin" which is used as part of the UEFI based persistence method described in the reference section
references:
- https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c
- https://persistence-info.github.io/Data/wpbbin.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-18
tags:
- attack.persistence
- attack.stealth
- attack.t1542.001
logsource:
product: windows
category: process_creation
detection:
selection:
Image: 'C:\Windows\System32\wpbbin.exe'
condition: selection
falsepositives:
- Legitimate usage of the file by hardware manufacturer such as lenovo (Thanks @0gtweet for the tip)
level: high
Convert to SIEM query
high
Strong
Medium FP
UNC2452 Process Creation Patterns
Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries
view Sigma YAML
title: UNC2452 Process Creation Patterns
id: 9be34ad0-b6a7-4fbd-91cf-fc7ec1047f5f
status: test
description: Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries
references:
- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
author: Florian Roth (Nextron Systems)
date: 2021-01-22
modified: 2024-09-12
tags:
- attack.execution
- attack.t1059.001
- detection.emerging-threats
# - sunburst
# - unc2452
logsource:
category: process_creation
product: windows
detection:
# To avoid writing complex condition. "selection_generic_1" and "selection_generic_2" are the same except for the extension used.
selection_generic_1:
CommandLine|contains:
- '7z.exe a -v500m -mx9 -r0 -p'
- '7z.exe a -mx9 -r0 -p'
CommandLine|contains|all:
- '.zip'
- '.txt'
selection_generic_2:
CommandLine|contains:
- '7z.exe a -v500m -mx9 -r0 -p'
- '7z.exe a -mx9 -r0 -p'
CommandLine|contains|all:
- '.zip'
- '.log'
selection_generic_3:
ParentCommandLine|contains|all:
- 'wscript.exe'
- '.vbs'
CommandLine|contains|all:
- 'rundll32.exe'
- 'C:\Windows'
- '.dll,Tk_'
selection_generic_4:
ParentImage|endswith: '\rundll32.exe'
ParentCommandLine|contains|all:
- 'C:\Windows'
- '.dll'
CommandLine|contains: 'cmd.exe /C '
selection_generic_5:
ParentImage|endswith: '\rundll32.exe'
Image|endswith: '\dllhost.exe'
CommandLine: ''
condition: 1 of selection_generic_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
UNC4841 - Barracuda ESG Exploitation Indicators
Detects file indicators as seen used by UNC4841 during their Barracuda ESG zero day exploitation.
view Sigma YAML
title: UNC4841 - Barracuda ESG Exploitation Indicators
id: 5627c337-a9b2-407a-a82d-5fd97035ff39
status: test
description: Detects file indicators as seen used by UNC4841 during their Barracuda ESG zero day exploitation.
references:
- https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-16
modified: 2025-08-19
tags:
- attack.execution
- attack.persistence
- detection.emerging-threats
- attack.stealth
logsource:
product: linux
category: file_event
detection:
selection:
TargetFilename|endswith:
- '/11111.tar'
- '/aacore.sh'
- '/appcheck.sh'
- '/autoins'
- '/BarracudaMailService'
- '/etc/cron.daily/core_check.sh'
- '/etc/cron.daily/core.sh'
- '/etc/cron.hourly/aacore.sh'
- '/etc/cron.hourly/appcheck.sh'
- '/etc/cron.hourly/core.sh'
- '/get_fs_info.pl'
- '/imgdata.jpg'
- '/install_att_v2.tar'
- '/install_bvp74_auth.tar'
- '/install_helo.tar'
- '/install_reuse.tar'
- '/intent_helo'
- '/intent_reuse'
- '/intentbas'
# - '/mknod'
- '/mod_attachment.lua'
- '/mod_content.lua'
- '/mod_require_helo.lua'
- '/mod_rtf'
- '/mod_sender.lua'
- '/mod_udp.so'
- '/nfsd_stub.ko'
- '/resize_reisertab'
- '/resize_risertab'
- '/resize2fstab'
- '/rverify'
- '/saslautchd'
- '/sendscd'
- '/snapshot.tar'
- '/tmp/p'
- '/tmp/p7'
- '/tmp/t'
- '/update_v2.sh'
- '/update_v31.sh'
- '/update_v35.sh'
- '/update_version'
condition: selection
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Moderate
High FP
UNC4841 - Download Compressed Files From Temp.sh Using Wget
Detects execution of "wget" to download a ".zip" or ".rar" files from "temp.sh". As seen used by UNC4841 during their Barracuda ESG zero day exploitation.
view Sigma YAML
title: UNC4841 - Download Compressed Files From Temp.sh Using Wget
id: 60d050c4-e253-4d9a-b673-5ac100cfddfb
status: test
description: Detects execution of "wget" to download a ".zip" or ".rar" files from "temp.sh". As seen used by UNC4841 during their Barracuda ESG zero day exploitation.
references:
- https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-16
tags:
- attack.stealth
- attack.t1140
- detection.emerging-threats
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/wget'
CommandLine|contains: 'https://temp.sh/'
CommandLine|endswith:
- '.rar'
- '.zip'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
UNC4841 - Download Tar File From Untrusted Direct IP Via Wget
Detects execution of "wget" to download a "tar" from an IP address that doesn't have a trusted certificate. As seen used by UNC4841 during their Barracuda ESG zero day exploitation.
view Sigma YAML
title: UNC4841 - Download Tar File From Untrusted Direct IP Via Wget
id: 23835beb-ec38-4e74-a5d4-b99af6684e91
status: test
description: Detects execution of "wget" to download a "tar" from an IP address that doesn't have a trusted certificate. As seen used by UNC4841 during their Barracuda ESG zero day exploitation.
references:
- https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-16
tags:
- attack.stealth
- attack.t1140
- detection.emerging-threats
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/wget'
CommandLine|re: 'https://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
CommandLine|contains: '--no-check-certificate'
CommandLine|endswith: '.tar'
filter_main_local_ips:
# Note: Uncomment this filter if you want to exclude local IPs
CommandLine|contains:
- 'https://10.' # 10.0.0.0/8
- 'https://192.168.' # 192.168.0.0/16
- 'https://172.16.' # 172.16.0.0/12
- 'https://172.17.'
- 'https://172.18.'
- 'https://172.19.'
- 'https://172.20.'
- 'https://172.21.'
- 'https://172.22.'
- 'https://172.23.'
- 'https://172.24.'
- 'https://172.25.'
- 'https://172.26.'
- 'https://172.27.'
- 'https://172.28.'
- 'https://172.29.'
- 'https://172.30.'
- 'https://172.31.'
- 'https://127.' # 127.0.0.0/8
- 'https://169.254.' # 169.254.0.0/16
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
High FP
UNC4841 - Email Exfiltration File Pattern
Detects filename pattern of email related data used by UNC4841 for staging and exfiltration
view Sigma YAML
title: UNC4841 - Email Exfiltration File Pattern
id: 0785f462-60b0-4031-9ff4-b4f3a0ba589a
status: test
description: Detects filename pattern of email related data used by UNC4841 for staging and exfiltration
references:
- https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-16
tags:
- attack.execution
- attack.persistence
- detection.emerging-threats
- attack.stealth
logsource:
product: linux
category: file_event
detection:
selection:
TargetFilename|re: '/mail/tmp/[a-zA-Z0-9]{3}[0-9]{3}\.tar\.gz'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
UNC4841 - SSL Certificate Exfiltration Via Openssl
Detects the execution of "openssl" to connect to an IP address. This techniques was used by UNC4841 to exfiltrate SSL certificates and as a C2 channel with named pipes. Investigate commands executed in the temporal vicinity of this command.
view Sigma YAML
title: UNC4841 - SSL Certificate Exfiltration Via Openssl
id: 60911c07-f989-4362-84af-c609828ef829
status: test
description: Detects the execution of "openssl" to connect to an IP address. This techniques was used by UNC4841 to exfiltrate SSL certificates and as a C2 channel with named pipes. Investigate commands executed in the temporal vicinity of this command.
references:
- https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-16
tags:
- attack.stealth
- attack.t1140
- detection.emerging-threats
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/openssl'
CommandLine|re: '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
CommandLine|contains|all:
- 's_client'
- '-quiet'
- '-connect'
CommandLine|contains:
- ':443'
- ':8080'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Uncommon Child Process Of Setres.EXE
Detects uncommon child process of Setres.EXE.
Setres.EXE is a Windows server only process and tool that can be used to set the screen resolution.
It can potentially be abused in order to launch any arbitrary file with a name containing the word "choice" from the current execution path.
view Sigma YAML
title: Uncommon Child Process Of Setres.EXE
id: 835e75bf-4bfd-47a4-b8a6-b766cac8bcb7
status: test
description: |
Detects uncommon child process of Setres.EXE.
Setres.EXE is a Windows server only process and tool that can be used to set the screen resolution.
It can potentially be abused in order to launch any arbitrary file with a name containing the word "choice" from the current execution path.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Setres/
- https://twitter.com/0gtweet/status/1583356502340870144
- https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)
author: '@gott_cyber, Nasreddine Bencherchali (Nextron Systems)'
date: 2022-12-11
modified: 2024-06-26
tags:
- attack.stealth
- attack.t1218
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\setres.exe'
Image|contains: '\choice'
filter_main_legit_location:
Image|endswith:
- 'C:\Windows\System32\choice.exe'
- 'C:\Windows\SysWOW64\choice.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
High FP
Uncommon Extension In Keyboard Layout IME File Registry Value
Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message.
Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path.
IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.
view Sigma YAML
title: Uncommon Extension In Keyboard Layout IME File Registry Value
id: b888e3f2-224d-4435-b00b-9dd66e9ea1f1
related:
- id: 9d8f9bb8-01af-4e15-a3a2-349071530530
type: derived
status: test
description: |
Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message.
Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path.
IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.
references:
- https://www.linkedin.com/pulse/guntior-story-advanced-bootkit-doesnt-rely-windows-disk-baranov-wue8e/
author: X__Junior (Nextron Systems)
date: 2023-11-21
tags:
- attack.defense-impairment
- attack.t1685
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains|all:
- '\Control\Keyboard Layouts\'
- 'Ime File'
filter_main_known_extension:
Details|endswith: '.ime'
condition: selection and not 1 of filter_main_*
falsepositives:
- IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.
level: high
Convert to SIEM query
high
Strong
Medium FP
Uncommon File Created In Office Startup Folder
Detects the creation of a file with an uncommon extension in an Office application startup folder
view Sigma YAML
title: Uncommon File Created In Office Startup Folder
id: a10a2c40-2c4d-49f8-b557-1a946bc55d9d
status: test
description: Detects the creation of a file with an uncommon extension in an Office application startup folder
references:
- https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/
- http://addbalance.com/word/startup.htm
- https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3
- https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-05
modified: 2023-12-13
tags:
- attack.resource-development
- attack.t1587.001
logsource:
product: windows
category: file_event
detection:
selection_word_paths:
- TargetFilename|contains: '\Microsoft\Word\STARTUP'
- TargetFilename|contains|all:
- '\Office'
- '\Program Files'
- '\STARTUP'
filter_exclude_word_ext:
TargetFilename|endswith:
- '.docb' # Word binary document introduced in Microsoft Office 2007
- '.docm' # Word macro-enabled document; same as docx, but may contain macros and scripts
- '.docx' # Word document
- '.dotm' # Word macro-enabled template; same as dotx, but may contain macros and scripts
- '.mdb' # MS Access DB
- '.mdw' # MS Access DB
- '.pdf' # PDF documents
- '.wll' # Word add-in
- '.wwl' # Word add-in
selection_excel_paths:
- TargetFilename|contains: '\Microsoft\Excel\XLSTART'
- TargetFilename|contains|all:
- '\Office'
- '\Program Files'
- '\XLSTART'
filter_exclude_excel_ext:
TargetFilename|endswith:
- '.xll'
- '.xls'
- '.xlsm'
- '.xlsx'
- '.xlt'
- '.xltm'
- '.xlw'
filter_main_office_click_to_run:
Image|contains: ':\Program Files\Common Files\Microsoft Shared\ClickToRun\'
Image|endswith: '\OfficeClickToRun.exe'
filter_main_office_apps:
Image|contains:
- ':\Program Files\Microsoft Office\'
- ':\Program Files (x86)\Microsoft Office\'
Image|endswith:
- '\winword.exe'
- '\excel.exe'
condition: ((selection_word_paths and not filter_exclude_word_ext) or (selection_excel_paths and not filter_exclude_excel_ext)) and not 1 of filter_main_*
falsepositives:
- False positive might stem from rare extensions used by other Office utilities.
level: high
Convert to SIEM query
high
Strong
Medium FP
Uncommon File Created by Notepad++ Updater Gup.EXE
Detects when the Notepad++ updater (gup.exe) creates files in suspicious or uncommon locations.
This could indicate potential exploitation of the updater component to deliver unwanted malware or unwarranted files.
view Sigma YAML
title: Uncommon File Created by Notepad++ Updater Gup.EXE
id: 3b8f4c92-6a51-4d7e-9c3a-8e2d1f5a7b09
status: experimental
description: |
Detects when the Notepad++ updater (gup.exe) creates files in suspicious or uncommon locations.
This could indicate potential exploitation of the updater component to deliver unwanted malware or unwarranted files.
references:
- https://notepad-plus-plus.org/news/v889-released/
- https://www.heise.de/en/news/Notepad-updater-installed-malware-11109726.html
- https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
- https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/
- https://securelist.com/notepad-supply-chain-attack/118708/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-02-03
modified: 2026-03-16
tags:
- attack.collection
- attack.credential-access
- attack.t1195.002
- attack.initial-access
- attack.t1557
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith: '\gup.exe'
filter_main_legit_paths:
TargetFilename|startswith:
- 'C:\Program Files\Notepad++\'
- 'C:\Program Files (x86)\Notepad++\'
filter_main_temp_update_installer:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|contains|all:
- '\AppData\Local\Temp\'
- 'npp.'
- '.Installer.'
- '.exe'
filter_main_temp_generic_zip:
TargetFilename|startswith: 'C:\Users\'
TargetFilename|contains|all:
- '\AppData\Local\Temp\'
- '.zip'
filter_main_recycle_bin:
TargetFilename|startswith: 'C:\$Recycle.Bin\S-1-5-21'
filter_main_plugins:
- TargetFilename|contains:
- '\plugins\JsonTools\testfiles\'
- '\Notepad++\plugins\ComparePlugin\'
- TargetFilename|contains|all:
- 'npp.'
- '.portable.'
- '\plugins\'
condition: selection and not 1 of filter_main_*
falsepositives:
- Custom or portable Notepad++ installations in non-standard directories.
- Legitimate update processes creating temporary files in unexpected locations.
level: high
Convert to SIEM query
high
Moderate
Medium FP
Uncommon File Creation By Mysql Daemon Process
Detects the creation of files with scripting or executable extensions by Mysql daemon.
Which could be an indicator of "User Defined Functions" abuse to download malware.
view Sigma YAML
title: Uncommon File Creation By Mysql Daemon Process
id: c61daa90-3c1e-4f18-af62-8f288b5c9aaf
status: test
description: |
Detects the creation of files with scripting or executable extensions by Mysql daemon.
Which could be an indicator of "User Defined Functions" abuse to download malware.
references:
- https://asec.ahnlab.com/en/58878/
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-mysql-malware-infection-via-user-defined-functions-udf/
author: Joseph Kamau
date: 2024-05-27
tags:
- attack.stealth
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
- \mysqld.exe
- \mysqld-nt.exe
TargetFilename|endswith:
- '.bat'
- '.dat'
- '.dll'
- '.exe'
- '.ps1'
- '.psm1'
- '.vbe'
- '.vbs'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Uncommon FileSystem Load Attempt By Format.com
Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which "format.com" is used to load malicious DLL files or other programs.
view Sigma YAML
title: Uncommon FileSystem Load Attempt By Format.com
id: 9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60
status: test
description: |
Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which "format.com" is used to load malicious DLL files or other programs.
references:
- https://twitter.com/0gtweet/status/1477925112561209344
- https://twitter.com/wdormann/status/1478011052130459653?s=20
author: Florian Roth (Nextron Systems)
date: 2022-01-04
modified: 2024-05-13
tags:
- attack.stealth
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\format.com'
CommandLine|contains: '/fs:'
filter_main_known_fs:
CommandLine|contains:
- '/fs:exFAT'
- '/fs:FAT'
- '/fs:NTFS'
- '/fs:ReFS'
- '/fs:UDF'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Uncommon Microsoft Office Trusted Location Added
Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions.
view Sigma YAML
title: Uncommon Microsoft Office Trusted Location Added
id: f742bde7-9528-42e5-bd82-84f51a8387d2
related:
- id: a0bed973-45fa-4625-adb5-6ecdf9be70ac
type: derived
status: test
description: Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions.
references:
- Internal Research
- https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-21
modified: 2023-09-29
tags:
- attack.persistence
- attack.defense-impairment
- attack.t1112
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: 'Security\Trusted Locations\Location'
TargetObject|endswith: '\Path'
filter_exclude_known_paths:
Details|contains:
- '%APPDATA%\Microsoft\Templates'
- '%%APPDATA%%\Microsoft\Templates'
- '%APPDATA%\Microsoft\Word\Startup'
- '%%APPDATA%%\Microsoft\Word\Startup'
- ':\Program Files (x86)\Microsoft Office\root\Templates\'
- ':\Program Files\Microsoft Office (x86)\Templates'
- ':\Program Files\Microsoft Office\root\Templates\'
- ':\Program Files\Microsoft Office\Templates\'
filter_main_office_click_to_run:
Image|contains: ':\Program Files\Common Files\Microsoft Shared\ClickToRun\'
Image|endswith: '\OfficeClickToRun.exe'
filter_main_office_apps:
Image|contains:
- ':\Program Files\Microsoft Office\'
- ':\Program Files (x86)\Microsoft Office\'
condition: selection and not 1 of filter_main_* and not 1 of filter_exclude_*
falsepositives:
- Other unknown legitimate or custom paths need to be filtered to avoid false positives
level: high
Convert to SIEM query
high
Moderate
Medium FP
Uncommon Network Connection Initiated By Certutil.EXE
Detects a network connection initiated by the certutil.exe utility.
Attackers can abuse the utility in order to download malware or additional payloads.
view Sigma YAML
title: Uncommon Network Connection Initiated By Certutil.EXE
id: 0dba975d-a193-4ed1-a067-424df57570d1
status: test
description: |
Detects a network connection initiated by the certutil.exe utility.
Attackers can abuse the utility in order to download malware or additional payloads.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
author: frack113, Florian Roth (Nextron Systems)
date: 2022-09-02
modified: 2024-05-31
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: network_connection
product: windows
detection:
selection:
Image|endswith: '\certutil.exe'
Initiated: 'true'
DestinationPort:
- 80
- 135
- 443
- 445
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Strong
Medium FP
Uncommon One Time Only Scheduled Task At 00:00
Detects scheduled task creation events that include suspicious actions, and is run once at 00:00
view Sigma YAML
title: Uncommon One Time Only Scheduled Task At 00:00
id: 970823b7-273b-460a-8afc-3a6811998529
status: test
description: Detects scheduled task creation events that include suspicious actions, and is run once at 00:00
references:
- https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte
author: pH-T (Nextron Systems)
date: 2022-07-15
modified: 2023-02-03
tags:
- attack.execution
- attack.persistence
- attack.privilege-escalation
- attack.t1053.005
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|contains: '\schtasks.exe'
- OriginalFileName: 'schtasks.exe'
selection_cli:
CommandLine|contains:
- 'wscript'
- 'vbscript'
- 'cscript'
- 'wmic '
- 'wmic.exe'
- 'regsvr32.exe'
- 'powershell'
- '\AppData\'
selection_time:
CommandLine|contains|all:
- 'once'
- '00:00'
condition: all of selection_*
falsepositives:
- Software installation
level: high
Convert to SIEM query
high
Moderate
Medium FP
Uncommon Svchost Command Line Parameter
Detects instances of svchost.exe running with an unusual or uncommon command line parameter by excluding known legitimate or common patterns.
This could point at a file masquerading as svchost, a process injection, or hollowing of a legitimate svchost instance.
view Sigma YAML
title: Uncommon Svchost Command Line Parameter
id: f17211f1-1f24-4d0c-829f-31e28dc93cdd
status: experimental
description: |
Detects instances of svchost.exe running with an unusual or uncommon command line parameter by excluding known legitimate or common patterns.
This could point at a file masquerading as svchost, a process injection, or hollowing of a legitimate svchost instance.
references:
- https://cardinalops.com/blog/the-art-of-anomaly-hunting-patterns-detection/
- https://www.security.com/threat-intelligence/blackbyte-exbyte-ransomware
- https://cloud.google.com/blog/topics/threat-intelligence/apt41-initiates-global-intrusion-campaign-using-multiple-exploits/
- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf
author: Liran Ravich
date: 2025-11-14
modified: 2026-03-23
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1036.005
- attack.t1055
- attack.t1055.012
logsource:
category: process_creation
product: windows
detection:
selection:
# Example of command to simulate: "C:\Windows\System32\svchost.exe" calc.exe
Image|endswith: '\svchost.exe'
filter_main_flags:
CommandLine|re: '-k\s\w{1,64}(?:\s?(?:-p|-s))?'
filter_main_empty:
CommandLine: ''
filter_main_null:
CommandLine: null
filter_optional_defender:
ParentImage|endswith: '\MsMpEng.exe'
CommandLine|contains: 'svchost.exe'
filter_optional_mrt:
ParentImage|endswith: '\MRT.exe'
CommandLine: 'svchost.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
high
Strong
Medium FP
Uncommon Userinit Child Process
Detects uncommon "userinit.exe" child processes, which could be a sign of uncommon shells or login scripts used for persistence.
view Sigma YAML
title: Uncommon Userinit Child Process
id: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458
related:
- id: 21d856f9-9281-4ded-9377-51a1a6e2a432
type: similar
status: test
description: Detects uncommon "userinit.exe" child processes, which could be a sign of uncommon shells or login scripts used for persistence.
references:
- https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html
- https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core
author: Tom Ueltschi (@c_APT_ure), Tim Shelton
date: 2019-01-12
modified: 2023-11-14
tags:
- attack.privilege-escalation
- attack.t1037.001
- attack.persistence
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\userinit.exe'
filter_main_explorer:
Image|endswith: ':\WINDOWS\explorer.exe'
filter_optional_logonscripts:
CommandLine|contains:
- 'netlogon.bat'
- 'UsrLogon.cmd'
filter_optional_windows_core:
# Note: This filter is mandatory on Windows Core machines as the default shell spawned by "userinit" is "powershell.exe".
# https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core
CommandLine: 'PowerShell.exe'
filter_optional_proquota:
Image|endswith:
- ':\Windows\System32\proquota.exe'
- ':\Windows\SysWOW64\proquota.exe'
filter_optional_citrix:
Image|endswith:
# As reported by https://github.com/SigmaHQ/sigma/issues/4569
- ':\Program Files (x86)\Citrix\HDX\bin\cmstart.exe' # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command
- ':\Program Files (x86)\Citrix\HDX\bin\icast.exe' # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command
- ':\Program Files (x86)\Citrix\System32\icast.exe'
- ':\Program Files\Citrix\HDX\bin\cmstart.exe' # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command
- ':\Program Files\Citrix\HDX\bin\icast.exe' # https://support.citrix.com/article/CTX983798/purpose-of-cmstart-command
- ':\Program Files\Citrix\System32\icast.exe'
filter_optional_image_null:
Image: null
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate logon scripts or custom shells may trigger false positives. Apply additional filters accordingly.
level: high
Convert to SIEM query
high
Moderate
Medium FP
Unfamiliar Sign-In Properties
Detects sign-in with properties that are unfamiliar to the user. The detection considers past sign-in history to look for anomalous sign-ins.
view Sigma YAML
title: Unfamiliar Sign-In Properties
id: 128faeef-79dd-44ca-b43c-a9e236a60f49
status: test
description: Detects sign-in with properties that are unfamiliar to the user. The detection considers past sign-in history to look for anomalous sign-ins.
references:
- https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#unfamiliar-sign-in-properties
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
date: 2023-09-03
tags:
- attack.stealth
- attack.t1078
- attack.persistence
- attack.privilege-escalation
- attack.initial-access
logsource:
product: azure
service: riskdetection
detection:
selection:
riskEventType: 'unfamiliarFeatures'
condition: selection
falsepositives:
- User changing to a new device, location, browser, etc.
level: high
Convert to SIEM query
high
Moderate
High FP
Uninstall Crowdstrike Falcon Sensor
Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon
view Sigma YAML
title: Uninstall Crowdstrike Falcon Sensor
id: f0f7be61-9cf5-43be-9836-99d6ef448a18
status: test
description: Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
author: frack113
date: 2021-07-12
modified: 2023-03-09
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '\WindowsSensor.exe'
- ' /uninstall'
- ' /quiet'
condition: selection
falsepositives:
- Administrator might leverage the same command line for debugging or other purposes. However this action must be always investigated
level: high
Convert to SIEM query
high
Strong
High FP
Uninstall Sysinternals Sysmon
Detects the removal of Sysmon, which could be a potential attempt at defense evasion
view Sigma YAML
title: Uninstall Sysinternals Sysmon
id: 6a5f68d1-c4b5-46b9-94ee-5324892ea939
status: test
description: Detects the removal of Sysmon, which could be a potential attempt at defense evasion
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-11---uninstall-sysmon
author: frack113
date: 2022-01-12
modified: 2024-03-13
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection_pe:
- Image|endswith:
- \Sysmon64.exe
- \Sysmon.exe
- Description: 'System activity monitor'
selection_cli:
CommandLine|contains|windash: '-u'
condition: all of selection_*
falsepositives:
- Legitimate administrators might use this command to remove Sysmon for debugging purposes
level: high
Convert to SIEM query
high
Moderate
Medium FP
Unsigned Binary Loaded From Suspicious Location
Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations
view Sigma YAML
title: Unsigned Binary Loaded From Suspicious Location
id: 8289bf8c-4aca-4f5a-9db3-dc3d7afe5c10
status: test
description: Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations
references:
- https://github.com/nasbench/EVTX-ETW-Resources/blob/45fd5be71a51aa518b1b36d4e1f36af498084e27/ETWEventsList/CSV/Windows11/21H2/W11_21H2_Pro_20220719_22000.795/Providers/Microsoft-Windows-Security-Mitigations.csv
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-03
modified: 2022-09-28
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
product: windows
service: security-mitigations
detection:
selection:
EventID:
- 11
- 12
ImageName|contains:
- '\Users\Public\'
- '\PerfLogs\'
- '\Desktop\'
- '\Downloads\'
- '\AppData\Local\Temp\'
- 'C:\Windows\TEMP\'
condition: selection
falsepositives:
- Unknown
level: high
Convert to SIEM query
high
Moderate
Medium FP
Unsigned Mfdetours.DLL Sideloading
Detects DLL sideloading of unsigned "mfdetours.dll". Executing "mftrace.exe" can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
view Sigma YAML
title: Unsigned Mfdetours.DLL Sideloading
id: 948a0953-f287-4806-bbcb-3b2e396df89f
related:
- id: d2605a99-2218-4894-8fd3-2afb7946514d
type: similar
status: test
description: Detects DLL sideloading of unsigned "mfdetours.dll". Executing "mftrace.exe" can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-11
tags:
- attack.persistence
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\mfdetours.dll'
filter_main_legit_path:
ImageLoaded|contains: ':\Program Files (x86)\Windows Kits\10\bin\'
SignatureStatus: 'Valid'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
Convert to SIEM query
Showing 1751-1800 of 3,750