Home/Sigma rules
Sigma

Sigma detection rules

1,417 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

50 shown of 1,417
high
Invoke-Obfuscation VAR+ Launcher - PowerShell
Detects Obfuscated use of Environment Variables to execute PowerShell
status test author Jonathan Cheong, oscd.community id 0adfbc14-0ed1-11eb-adc1-0242ac120002
view Sigma YAML 
title: Invoke-Obfuscation VAR+ Launcher - PowerShell
id: 0adfbc14-0ed1-11eb-adc1-0242ac120002
status: test
description: Detects Obfuscated use of Environment Variables to execute PowerShell
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 24)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2024-04-05
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_4104:
        ScriptBlockText|re: 'cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?-f(?:.*\)){1,}.*"'
    condition: selection_4104
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation VAR+ Launcher - PowerShell Module
Detects Obfuscated use of Environment Variables to execute PowerShell
status test author Jonathan Cheong, oscd.community id 6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e
view Sigma YAML 
title: Invoke-Obfuscation VAR+ Launcher - PowerShell Module
id: 6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e
related:
    - id: 0adfbc14-0ed1-11eb-adc1-0242ac120002
      type: derived
status: test
description: Detects Obfuscated use of Environment Variables to execute PowerShell
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 24)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2024-04-05
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection_4103:
        Payload|re: 'cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?-f(?:.*\)){1,}.*"'
    condition: selection_4103
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation VAR+ Launcher - Security
Detects Obfuscated use of Environment Variables to execute PowerShell
status test author Jonathan Cheong, oscd.community id dcf2db1f-f091-425b-a821-c05875b8925a
view Sigma YAML 
title: Invoke-Obfuscation VAR+ Launcher - Security
id: dcf2db1f-f091-425b-a821-c05875b8925a
related:
    - id: 8ca7004b-e620-4ecb-870e-86129b5b8e75
      type: derived
status: test
description: Detects Obfuscated use of Environment Variables to execute PowerShell
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 24)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        # ServiceFileName|re: 'cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
        # Example 1: C:\winDoWs\SySTeM32\cmd.Exe /C"SET NOtI=Invoke-Expression (New-Object Net.WebClient).DownloadString&& PowERshElL -NOl SET-iteM ( 'VAR' + 'i'+ 'A' + 'blE:Ao6' + 'I0') ( [TYpe](\"{2}{3}{0}{1}\"-F 'iRoN','mENT','e','nv') ) ; ${exECUtIONCOnTEXT}.\"IN`VO`KecOmMaND\".\"inVo`KES`crIPt\"( ( ( GEt-VAriAble ( 'a' + 'o6I0') -vaLU )::(\"{1}{4}{2}{3}{0}\" -f'e','gETenvIR','NtvaRIa','BL','ONme' ).Invoke(( \"{0}{1}\"-f'n','oti' ),( \"{0}{1}\" -f'pRoC','esS') )) )"
        # Example 2: cMD.exe /C "seT SlDb=Invoke-Expression (New-Object Net.WebClient).DownloadString&& pOWErShell .(( ^&(\"{1}{0}{2}{3}\" -f 'eT-vaR','G','iab','lE' ) (\"{0}{1}\" -f '*m','DR*' ) ).\"na`ME\"[3,11,2]-JOIN'' ) ( ( ^&(\"{0}{1}\" -f'g','CI' ) (\"{0}{1}\" -f 'ENV',':SlDb' ) ).\"VA`luE\" ) "
        ServiceFileName|contains|all:
            - 'cmd'
            - '"set'
            - '-f'
        ServiceFileName|contains:
            - '/c'
            - '/r'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation VAR+ Launcher - System
Detects Obfuscated use of Environment Variables to execute PowerShell
status test author Jonathan Cheong, oscd.community id 8ca7004b-e620-4ecb-870e-86129b5b8e75
view Sigma YAML 
title: Invoke-Obfuscation VAR+ Launcher - System
id: 8ca7004b-e620-4ecb-870e-86129b5b8e75
status: test
description: Detects Obfuscated use of Environment Variables to execute PowerShell
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 24)
author: Jonathan Cheong, oscd.community
date: 2020-10-15
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        # ImagePath|re: 'cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"'
        # Example 1: C:\winDoWs\SySTeM32\cmd.Exe /C"SET NOtI=Invoke-Expression (New-Object Net.WebClient).DownloadString&& PowERshElL -NOl SET-iteM ( 'VAR' + 'i'+ 'A' + 'blE:Ao6' + 'I0') ( [TYpe](\"{2}{3}{0}{1}\"-F 'iRoN','mENT','e','nv') ) ; ${exECUtIONCOnTEXT}.\"IN`VO`KecOmMaND\".\"inVo`KES`crIPt\"( ( ( GEt-VAriAble ( 'a' + 'o6I0') -vaLU )::(\"{1}{4}{2}{3}{0}\" -f'e','gETenvIR','NtvaRIa','BL','ONme' ).Invoke(( \"{0}{1}\"-f'n','oti' ),( \"{0}{1}\" -f'pRoC','esS') )) )"
        # Example 2: cMD.exe /C "seT SlDb=Invoke-Expression (New-Object Net.WebClient).DownloadString&& pOWErShell .(( ^&(\"{1}{0}{2}{3}\" -f 'eT-vaR','G','iab','lE' ) (\"{0}{1}\" -f '*m','DR*' ) ).\"na`ME\"[3,11,2]-JOIN'' ) ( ( ^&(\"{0}{1}\" -f'g','CI' ) (\"{0}{1}\" -f 'ENV',':SlDb' ) ).\"VA`luE\" ) "
        ImagePath|contains|all:
            - 'cmd'
            - '"set'
            - '-f'
        ImagePath|contains:
            - '/c'
            - '/r'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
Detects Obfuscated Powershell via VAR++ LAUNCHER
status test author Timur Zinniatullin, oscd.community id e9f55347-2928-4c06-88e5-1a7f8169942e
view Sigma YAML 
title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
id: e9f55347-2928-4c06-88e5-1a7f8169942e
status: test
description: Detects Obfuscated Powershell via VAR++ LAUNCHER
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27)
author: Timur Zinniatullin, oscd.community
date: 2020-10-13
modified: 2022-11-16
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        # CommandLine|re: '(?i)&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
        # Example 1: CMD /C"sET KUR=Invoke-Expression (New-Object Net.WebClient).DownloadString&&Set MxI=C:\wINDowS\sYsWow64\winDOWspoWERSheLl\V1.0\PowerShelL.EXe ${ExEcut`IoN`cON`TExT}.\"invo`kEcoMm`A`ND\".( \"{2}{1}{0}\" -f 'pt','EscRi','INvOk' ).Invoke( ( .( \"{0}{1}\" -f'D','IR' ) ( \"{0}{1}\"-f'ENV:kU','R')).\"vAl`Ue\" )&& CMD /C%mXI%"
        # Example 2: c:\WiNDOWS\sYSTEm32\CmD.exE /C "sEt DeJLz=Invoke-Expression (New-Object Net.WebClient).DownloadString&&set yBKM=PoWERShelL -noeX ^^^&(\"{2}{0}{1}\"-f '-ItE','m','seT') ( 'V' + 'a'+ 'RiAblE:z8J' +'U2' + 'l' ) ([TYpE]( \"{2}{3}{0}{1}\"-f 'e','NT','e','NViRONM' ) ) ; ^^^& ( ( [sTrIng]${VE`Rbo`SepReFER`Ence})[1,3] + 'X'-joIN'')( ( (.('gI') ('V' + 'a' + 'RIAbLe:z8j' + 'u2' +'l' ) ).vALUe::( \"{2}{5}{0}{1}{6}{4}{3}\" -f 'IRo','Nm','GETE','ABlE','I','nv','enTVAr').Invoke(( \"{0}{1}\"-f'd','ejLz' ),( \"{1}{2}{0}\"-f'cEss','P','RO') )) )&& c:\WiNDOWS\sYSTEm32\CmD.exE /C %ybkm%"
        CommandLine|contains|all:
            - '&&set'
            - 'cmd'
            - '/c'
            - '-f'
        CommandLine|contains:
            - '{0}'
            - '{1}'
            - '{2}'
            - '{3}'
            - '{4}'
            - '{5}'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell
Detects Obfuscated Powershell via VAR++ LAUNCHER
status test author Timur Zinniatullin, oscd.community id e54f5149-6ba3-49cf-b153-070d24679126
view Sigma YAML 
title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell
id: e54f5149-6ba3-49cf-b153-070d24679126
status: test
description: Detects Obfuscated Powershell via VAR++ LAUNCHER
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27)
author: Timur Zinniatullin, oscd.community
date: 2020-10-13
modified: 2024-04-05
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_4104:
        ScriptBlockText|re: '(?i)&&set.*(\{\d\}){2,}\\"\s+?-f.*&&.*cmd.*/c' # FPs with |\/r
    condition: selection_4104
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module
Detects Obfuscated Powershell via VAR++ LAUNCHER
status test author Timur Zinniatullin, oscd.community id f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6
view Sigma YAML 
title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module
id: f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6
related:
    - id: e54f5149-6ba3-49cf-b153-070d24679126
      type: derived
status: test
description: Detects Obfuscated Powershell via VAR++ LAUNCHER
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27)
author: Timur Zinniatullin, oscd.community
date: 2020-10-13
modified: 2024-04-05
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection_4103:
        Payload|re: '(?i)&&set.*(\{\d\}){2,}\\"\s+?-f.*&&.*cmd.*/c' # FPs with |\/r
    condition: selection_4103
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security
Detects Obfuscated Powershell via VAR++ LAUNCHER
status test author Timur Zinniatullin, oscd.community id 4c54ba8f-73d2-4d40-8890-d9cf1dca3d30
view Sigma YAML 
title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security
id: 4c54ba8f-73d2-4d40-8890-d9cf1dca3d30
related:
    - id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
      type: derived
status: test
description: Detects Obfuscated Powershell via VAR++ LAUNCHER
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27)
author: Timur Zinniatullin, oscd.community
date: 2020-10-13
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        # ServiceFileName|re: '(?i)&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
        # Example 1: CMD /C"sET KUR=Invoke-Expression (New-Object Net.WebClient).DownloadString&&Set MxI=C:\wINDowS\sYsWow64\winDOWspoWERSheLl\V1.0\PowerShelL.EXe ${ExEcut`IoN`cON`TExT}.\"invo`kEcoMm`A`ND\".( \"{2}{1}{0}\" -f 'pt','EscRi','INvOk' ).Invoke( ( .( \"{0}{1}\" -f'D','IR' ) ( \"{0}{1}\"-f'ENV:kU','R')).\"vAl`Ue\" )&& CMD /C%mXI%"
        # Example 2: c:\WiNDOWS\sYSTEm32\CmD.exE /C "sEt DeJLz=Invoke-Expression (New-Object Net.WebClient).DownloadString&&set yBKM=PoWERShelL -noeX ^^^&(\"{2}{0}{1}\"-f '-ItE','m','seT') ( 'V' + 'a'+ 'RiAblE:z8J' +'U2' + 'l' ) ([TYpE]( \"{2}{3}{0}{1}\"-f 'e','NT','e','NViRONM' ) ) ; ^^^& ( ( [sTrIng]${VE`Rbo`SepReFER`Ence})[1,3] + 'X'-joIN'')( ( (.('gI') ('V' + 'a' + 'RIAbLe:z8j' + 'u2' +'l' ) ).vALUe::( \"{2}{5}{0}{1}{6}{4}{3}\" -f 'IRo','Nm','GETE','ABlE','I','nv','enTVAr').Invoke(( \"{0}{1}\"-f'd','ejLz' ),( \"{1}{2}{0}\"-f'cEss','P','RO') )) )&& c:\WiNDOWS\sYSTEm32\CmD.exE /C %ybkm%"
        ServiceFileName|contains|all:
            - '&&set'
            - 'cmd'
            - '/c'
            - '-f'
        ServiceFileName|contains:
            - '{0}'
            - '{1}'
            - '{2}'
            - '{3}'
            - '{4}'
            - '{5}'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System
Detects Obfuscated Powershell via VAR++ LAUNCHER
status test author Timur Zinniatullin, oscd.community id 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
view Sigma YAML 
title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System
id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
status: test
description: Detects Obfuscated Powershell via VAR++ LAUNCHER
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task27)
author: Timur Zinniatullin, oscd.community
date: 2020-10-13
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        # ImagePath|re: '(?i)&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r
        # Example 1: CMD /C"sET KUR=Invoke-Expression (New-Object Net.WebClient).DownloadString&&Set MxI=C:\wINDowS\sYsWow64\winDOWspoWERSheLl\V1.0\PowerShelL.EXe ${ExEcut`IoN`cON`TExT}.\"invo`kEcoMm`A`ND\".( \"{2}{1}{0}\" -f 'pt','EscRi','INvOk' ).Invoke( ( .( \"{0}{1}\" -f'D','IR' ) ( \"{0}{1}\"-f'ENV:kU','R')).\"vAl`Ue\" )&& CMD /C%mXI%"
        # Example 2: c:\WiNDOWS\sYSTEm32\CmD.exE /C "sEt DeJLz=Invoke-Expression (New-Object Net.WebClient).DownloadString&&set yBKM=PoWERShelL -noeX ^^^&(\"{2}{0}{1}\"-f '-ItE','m','seT') ( 'V' + 'a'+ 'RiAblE:z8J' +'U2' + 'l' ) ([TYpE]( \"{2}{3}{0}{1}\"-f 'e','NT','e','NViRONM' ) ) ; ^^^& ( ( [sTrIng]${VE`Rbo`SepReFER`Ence})[1,3] + 'X'-joIN'')( ( (.('gI') ('V' + 'a' + 'RIAbLe:z8j' + 'u2' +'l' ) ).vALUe::( \"{2}{5}{0}{1}{6}{4}{3}\" -f 'IRo','Nm','GETE','ABlE','I','nv','enTVAr').Invoke(( \"{0}{1}\"-f'd','ejLz' ),( \"{1}{2}{0}\"-f'cEss','P','RO') )) )&& c:\WiNDOWS\sYSTEm32\CmD.exE /C %ybkm%"
        ImagePath|contains|all:
            - '&&set'
            - 'cmd'
            - '/c'
            - '-f'
        ImagePath|contains:
            - '{0}'
            - '{1}'
            - '{2}'
            - '{3}'
            - '{4}'
            - '{5}'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Via Stdin
Detects Obfuscated Powershell via Stdin in Scripts
status test author Nikita Nazarov, oscd.community id 9c14c9fa-1a63-4a64-8e57-d19280559490
view Sigma YAML 
title: Invoke-Obfuscation Via Stdin
id: 9c14c9fa-1a63-4a64-8e57-d19280559490
status: test
description: Detects Obfuscated Powershell via Stdin in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task28)
author: Nikita Nazarov, oscd.community
date: 2020-10-12
modified: 2026-03-16
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|re: '(?i)(?:set).*&&\s?set.*(?:environment|invoke|\$\{?input).*&&.*"'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Via Stdin - PowerShell Module
Detects Obfuscated Powershell via Stdin in Scripts
status test author Nikita Nazarov, oscd.community id c72aca44-8d52-45ad-8f81-f96c4d3c755e
view Sigma YAML 
title: Invoke-Obfuscation Via Stdin - PowerShell Module
id: c72aca44-8d52-45ad-8f81-f96c4d3c755e
related:
    - id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7
      type: derived
status: test
description: Detects Obfuscated Powershell via Stdin in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task28)
author: Nikita Nazarov, oscd.community
date: 2020-10-12
modified: 2024-04-05
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection_4103:
        Payload|re: '(?i)(set).*&&\s?set.*(environment|invoke|\$?\{?input).*&&.*"'
    condition: selection_4103
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Via Stdin - Powershell
Detects Obfuscated Powershell via Stdin in Scripts
status test author Nikita Nazarov, oscd.community id 86b896ba-ffa1-4fea-83e3-ee28a4c915c7
view Sigma YAML 
title: Invoke-Obfuscation Via Stdin - Powershell
id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7
status: test
description: Detects Obfuscated Powershell via Stdin in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task28)
author: Nikita Nazarov, oscd.community
date: 2020-10-12
modified: 2024-04-05
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_4104:
        ScriptBlockText|re: '(?i)(set).*&&\s?set.*(environment|invoke|\$\{?input).*&&.*"'
    condition: selection_4104
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Via Stdin - Security
Detects Obfuscated Powershell via Stdin in Scripts
status test author Nikita Nazarov, oscd.community id 80b708f3-d034-40e4-a6c8-d23b7a7db3d1
view Sigma YAML 
title: Invoke-Obfuscation Via Stdin - Security
id: 80b708f3-d034-40e4-a6c8-d23b7a7db3d1
related:
    - id: 487c7524-f892-4054-b263-8a0ace63fc25
      type: derived
status: test
description: Detects Obfuscated Powershell via Stdin in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task28)
author: Nikita Nazarov, oscd.community
date: 2020-10-12
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        ServiceFileName|contains|all:
            - 'set'
            - '&&'
        ServiceFileName|contains:
            - 'environment'
            - 'invoke'
            - '${input)'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Via Stdin - System
Detects Obfuscated Powershell via Stdin in Scripts
status test author Nikita Nazarov, oscd.community id 487c7524-f892-4054-b263-8a0ace63fc25
view Sigma YAML 
title: Invoke-Obfuscation Via Stdin - System
id: 487c7524-f892-4054-b263-8a0ace63fc25
status: test
description: Detects Obfuscated Powershell via Stdin in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task28)
author: Nikita Nazarov, oscd.community
date: 2020-10-12
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        # ImagePath|re: '(?i)(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"'
        ImagePath|contains|all:
            - 'set'
            - '&&'
        ImagePath|contains:
            - 'environment'
            - 'invoke'
            - 'input'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Via Use Clip
Detects Obfuscated Powershell via use Clip.exe in Scripts
status test author Nikita Nazarov, oscd.community id e1561947-b4e3-4a74-9bdd-83baed21bdb5
view Sigma YAML 
title: Invoke-Obfuscation Via Use Clip
id: e1561947-b4e3-4a74-9bdd-83baed21bdb5
status: test
description: Detects Obfuscated Powershell via use Clip.exe in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task29)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2026-03-16
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        # Example 1: C:\WINdoWS\sySteM32\CMd /c " ECho\Invoke-Expression (New-Object Net.WebClient).DownloadString|Clip.Exe&&C:\WINdoWS\sySteM32\CMd /c pOWerSheLl -STa . ( \"{2}{0}{1}\"-f'dd-',(\"{0}{1}\" -f 'T','ype' ),'A' ) -Assembly ( \"{4}{1}{3}{0}{2}\"-f (\"{0}{1}\" -f 'nd','ow'),( \"{1}{0}\"-f'.W','stem' ),( \"{2}{1}{0}\" -f 'rms','Fo','s.'),'i','Sy') ; ${exeCUtIOnCONTeXT}.\"INV`oKECOM`m`ANd\".\"INV`ok`ESCriPT\"( ( [sYSteM.wiNDoWS.forMs.ClIPboaRD]::( \"{2}{0}{1}\" -f'Ex','t',(\"{0}{1}\" -f'Get','t' ) ).\"iNvo`Ke\"( )) ) ; [System.Windows.Forms.Clipboard]::(\"{1}{0}\" -f 'ar','Cle' ).\"in`V`oKE\"( )"
        # Example 2: C:\WINDowS\sYsTEM32\CmD.eXE /C" echo\Invoke-Expression (New-Object Net.WebClient).DownloadString| C:\WIndOWs\SYSteM32\CLip &&C:\WINDowS\sYsTEM32\CmD.eXE /C POWERSHeLL -sT -noL [Void][System.Reflection.Assembly]::( \"{0}{3}{4}{1}{2}\" -f( \"{0}{1}\"-f'Lo','adW' ),( \"{0}{1}\"-f 'Par','t'),( \"{0}{1}{2}\"-f 'ial','N','ame'),'it','h' ).\"in`VO`KE\"( ( \"{3}{1}{4}{5}{2}{0}\"-f'rms','ystem.Windo','Fo','S','w','s.' )) ; ( [wIndows.fOrms.cLIPBOArD]::( \"{1}{0}\"-f'T',( \"{1}{0}\" -f'tEX','gET' )).\"i`Nvoke\"( ) ) ^^^| ^^^& ( ( ^^^& ( \"{2}{1}{0}\"-f 'e',( \"{2}{1}{0}\"-f'IABl','aR','v' ),( \"{0}{1}\"-f'Get','-' ) ) ( \"{1}{0}\"-f'*','*MDr' )).\"n`Ame\"[3,11,2]-jOin'') ; [Windows.Forms.Clipboard]::( \"{0}{1}\" -f (\"{1}{0}\"-f'tT','Se' ),'ext').\"in`VoKe\"(' ' )"
        CommandLine|re: '(?i)echo.*clip.*&&.*(?:Clipboard|i`?n`?v`?o`?k`?e`?)'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Via Use Clip - PowerShell Module
Detects Obfuscated Powershell via use Clip.exe in Scripts
status test author Nikita Nazarov, oscd.community id ebdf49d8-b89c-46c9-8fdf-2c308406f6bd
view Sigma YAML 
title: Invoke-Obfuscation Via Use Clip - PowerShell Module
id: ebdf49d8-b89c-46c9-8fdf-2c308406f6bd
related:
    - id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0
      type: derived
status: test
description: Detects Obfuscated Powershell via use Clip.exe in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task29)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2024-04-05
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection_4103:
        Payload|re: '(?i)echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?)'
    condition: selection_4103
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Via Use Clip - Powershell
Detects Obfuscated Powershell via use Clip.exe in Scripts
status test author Nikita Nazarov, oscd.community id db92dd33-a3ad-49cf-8c2c-608c3e30ace0
view Sigma YAML 
title: Invoke-Obfuscation Via Use Clip - Powershell
id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0
status: test
description: Detects Obfuscated Powershell via use Clip.exe in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009  # (Task29)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2024-04-15
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_4104:
        ScriptBlockText|re: '(?i)echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?)'
    condition: selection_4104
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Via Use Clip - Security
Detects Obfuscated Powershell via use Clip.exe in Scripts
status test author Nikita Nazarov, oscd.community id 1a0a2ff1-611b-4dac-8216-8a7b47c618a6
view Sigma YAML 
title: Invoke-Obfuscation Via Use Clip - Security
id: 1a0a2ff1-611b-4dac-8216-8a7b47c618a6
related:
    - id: 63e3365d-4824-42d8-8b82-e56810fefa0c
      type: derived
status: test
description: Detects Obfuscated Powershell via use Clip.exe in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task29)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        ServiceFileName|contains: '(Clipboard|i'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Via Use Clip - System
Detects Obfuscated Powershell via use Clip.exe in Scripts
status test author Nikita Nazarov, oscd.community id 63e3365d-4824-42d8-8b82-e56810fefa0c
view Sigma YAML 
title: Invoke-Obfuscation Via Use Clip - System
id: 63e3365d-4824-42d8-8b82-e56810fefa0c
status: test
description: Detects Obfuscated Powershell via use Clip.exe in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task29)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        ImagePath|contains: '(Clipboard|i'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Via Use MSHTA
Detects Obfuscated Powershell via use MSHTA in Scripts
status test author Nikita Nazarov, oscd.community id ac20ae82-8758-4f38-958e-b44a3140ca88
view Sigma YAML 
title: Invoke-Obfuscation Via Use MSHTA
id: ac20ae82-8758-4f38-958e-b44a3140ca88
status: test
description: Detects Obfuscated Powershell via use MSHTA in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009   # (Task31)
author: Nikita Nazarov, oscd.community
date: 2020-10-08
modified: 2022-03-08
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'set'
            - '&&'
            - 'mshta'
            - 'vbscript:createobject'
            - '.run'
            - '(window.close)'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Via Use MSHTA - PowerShell
Detects Obfuscated Powershell via use MSHTA in Scripts
status test author Nikita Nazarov, oscd.community id e55a5195-4724-480e-a77e-3ebe64bd3759
view Sigma YAML 
title: Invoke-Obfuscation Via Use MSHTA - PowerShell
id: e55a5195-4724-480e-a77e-3ebe64bd3759
status: test
description: Detects Obfuscated Powershell via use MSHTA in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task31)
author: Nikita Nazarov, oscd.community
date: 2020-10-08
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_4104:
        ScriptBlockText|contains|all:
            - 'set'
            - '&&'
            - 'mshta'
            - 'vbscript:createobject'
            - '.run'
            - '(window.close)'
    condition: selection_4104
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Via Use MSHTA - PowerShell Module
Detects Obfuscated Powershell via use MSHTA in Scripts
status test author Nikita Nazarov, oscd.community id 07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb
view Sigma YAML 
title: Invoke-Obfuscation Via Use MSHTA - PowerShell Module
id: 07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb
related:
    - id: e55a5195-4724-480e-a77e-3ebe64bd3759
      type: derived
status: test
description: Detects Obfuscated Powershell via use MSHTA in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task31)
author: Nikita Nazarov, oscd.community
date: 2020-10-08
modified: 2023-01-04
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection:
        Payload|contains|all:
            - 'set'
            - '&&'
            - 'mshta'
            - 'vbscript:createobject'
            - '.run'
            - '(window.close)'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Via Use MSHTA - Security
Detects Obfuscated Powershell via use MSHTA in Scripts
status test author Nikita Nazarov, oscd.community id 9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a
view Sigma YAML 
title: Invoke-Obfuscation Via Use MSHTA - Security
id: 9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a
related:
    - id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4
      type: derived
status: test
description: Detects Obfuscated Powershell via use MSHTA in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task31)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        ServiceFileName|contains|all:
            - 'mshta'
            - 'vbscript:createobject'
            - '.run'
            - 'window.close'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Via Use MSHTA - System
Detects Obfuscated Powershell via use MSHTA in Scripts
status test author Nikita Nazarov, oscd.community id 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4
view Sigma YAML 
title: Invoke-Obfuscation Via Use MSHTA - System
id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4
status: test
description: Detects Obfuscated Powershell via use MSHTA in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task31)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        ImagePath|contains|all:
            - 'mshta'
            - 'vbscript:createobject'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Via Use Rundll32 - PowerShell
Detects Obfuscated Powershell via use Rundll32 in Scripts
status test author Nikita Nazarov, oscd.community id a5a30a6e-75ca-4233-8b8c-42e0f2037d3b
view Sigma YAML 
title: Invoke-Obfuscation Via Use Rundll32 - PowerShell
id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b
status: test
description: Detects Obfuscated Powershell via use Rundll32 in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009
author: Nikita Nazarov, oscd.community
date: 2019-10-08
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection_4104:
        ScriptBlockText|contains|all:
            - '&&'
            - 'rundll32'
            - 'shell32.dll'
            - 'shellexec_rundll'
        ScriptBlockText|contains:
            - 'value'
            - 'invoke'
            - 'comspec'
            - 'iex'
    condition: selection_4104
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Via Use Rundll32 - PowerShell Module
Detects Obfuscated Powershell via use Rundll32 in Scripts
status test author Nikita Nazarov, oscd.community id 88a22f69-62f9-4b8a-aa00-6b0212f2f05a
view Sigma YAML 
title: Invoke-Obfuscation Via Use Rundll32 - PowerShell Module
id: 88a22f69-62f9-4b8a-aa00-6b0212f2f05a
related:
    - id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b
      type: derived
status: test
description: Detects Obfuscated Powershell via use Rundll32 in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009
author: Nikita Nazarov, oscd.community
date: 2019-10-08
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_module
    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
    selection_4103:
        Payload|contains|all:
            - '&&'
            - 'rundll32'
            - 'shell32.dll'
            - 'shellexec_rundll'
        Payload|contains:
            - 'value'
            - 'invoke'
            - 'comspec'
            - 'iex'
    condition: selection_4103
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Via Use Rundll32 - Security
Detects Obfuscated Powershell via use Rundll32 in Scripts
status test author Nikita Nazarov, oscd.community id cd0f7229-d16f-42de-8fe3-fba365fbcb3a
view Sigma YAML 
title: Invoke-Obfuscation Via Use Rundll32 - Security
id: cd0f7229-d16f-42de-8fe3-fba365fbcb3a
related:
    - id: 641a4bfb-c017-44f7-800c-2aee0184ce9b
      type: derived
status: test
description: Detects Obfuscated Powershell via use Rundll32 in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task30)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: security
    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
detection:
    selection:
        EventID: 4697
        ServiceFileName|contains|all:
            - '&&'
            - 'rundll32'
            - 'shell32.dll'
            - 'shellexec_rundll'
        ServiceFileName|contains:
            - value
            - invoke
            - comspec
            - iex
    condition: selection
falsepositives:
    - Unknown
level: high
high
Invoke-Obfuscation Via Use Rundll32 - System
Detects Obfuscated Powershell via use Rundll32 in Scripts
status test author Nikita Nazarov, oscd.community id 641a4bfb-c017-44f7-800c-2aee0184ce9b
view Sigma YAML 
title: Invoke-Obfuscation Via Use Rundll32 - System
id: 641a4bfb-c017-44f7-800c-2aee0184ce9b
status: test
description: Detects Obfuscated Powershell via use Rundll32 in Scripts
references:
    - https://github.com/SigmaHQ/sigma/issues/1009 # (Task30)
author: Nikita Nazarov, oscd.community
date: 2020-10-09
modified: 2022-11-29
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
        ImagePath|contains|all:
            - '&&'
            - 'rundll32'
            - 'shell32.dll'
            - 'shellexec_rundll'
        ImagePath|contains:
            - 'value'
            - 'invoke'
            - 'comspec'
            - 'iex'
    condition: selection
falsepositives:
    - Unknown
level: high
high
JNDIExploit Pattern
Detects exploitation attempt using the JNDI-Exploit-Kit
status test author Florian Roth (Nextron Systems) id 412d55bc-7737-4d25-9542-5b396867ce55
view Sigma YAML 
title: JNDIExploit Pattern
id: 412d55bc-7737-4d25-9542-5b396867ce55
status: test
description: Detects exploitation attempt using the JNDI-Exploit-Kit
references:
    - https://github.com/pimps/JNDI-Exploit-Kit
    - https://web.archive.org/web/20231015205935/https://githubmemory.com/repo/FunctFan/JNDIExploit
author: Florian Roth (Nextron Systems)
date: 2021-12-12
modified: 2022-12-25
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    category: webserver
detection:
    keywords:
        - '/Basic/Command/Base64/'
        - '/Basic/ReverseShell/'
        - '/Basic/TomcatMemshell'
        - '/Basic/JettyMemshell'
        - '/Basic/WeblogicMemshell'
        - '/Basic/JBossMemshell'
        - '/Basic/WebsphereMemshell'
        - '/Basic/SpringMemshell'
        - '/Deserialization/URLDNS/'
        - '/Deserialization/CommonsCollections1/Dnslog/'
        - '/Deserialization/CommonsCollections2/Command/Base64/'
        - '/Deserialization/CommonsBeanutils1/ReverseShell/'
        - '/Deserialization/Jre8u20/TomcatMemshell'
        - '/TomcatBypass/Dnslog/'
        - '/TomcatBypass/Command/'
        - '/TomcatBypass/ReverseShell/'
        - '/TomcatBypass/TomcatMemshell'
        - '/TomcatBypass/SpringMemshell'
        - '/GroovyBypass/Command/'
        - '/WebsphereBypass/Upload/'
    condition: keywords
falsepositives:
    - Legitimate apps the use these paths
level: high
high
JXA In-memory Execution Via OSAScript
Detects possible malicious execution of JXA in-memory via OSAScript
status test author Sohan G (D4rkCiph3r) id f1408a58-0e94-4165-b80a-da9f96cf6fc3
view Sigma YAML 
title: JXA In-memory Execution Via OSAScript
id: f1408a58-0e94-4165-b80a-da9f96cf6fc3
related:
    - id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55
      type: derived
status: test
description: Detects possible malicious execution of JXA in-memory via OSAScript
references:
    - https://redcanary.com/blog/applescript/
author: Sohan G (D4rkCiph3r)
date: 2023-01-31
tags:
    - attack.t1059.002
    - attack.t1059.007
    - attack.execution
logsource:
    product: macos
    category: process_creation
detection:
    selection_main:
        CommandLine|contains|all:
            - 'osascript'
            - ' -e '
            - 'eval'
            - 'NSData.dataWithContentsOfURL'
    selection_js:
        - CommandLine|contains|all:
              - ' -l '
              - 'JavaScript'
        - CommandLine|contains: '.js'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
high
Java Payload Strings
Detects possible Java payloads in web access logs
status test author frack113, Harjot Singh, "@cyb3rjy0t" (update) id 583aa0a2-30b1-4d62-8bf3-ab73689efe6c
view Sigma YAML 
title: Java Payload Strings
id: 583aa0a2-30b1-4d62-8bf3-ab73689efe6c
status: test
description: Detects possible Java payloads in web access logs
references:
    - https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/
    - https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/
    - https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md
    - https://twitter.com/httpvoid0x2f/status/1532924261035384832
    - https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035
author: frack113, Harjot Singh, "@cyb3rjy0t" (update)
date: 2022-06-04
modified: 2023-01-19
tags:
    - cve.2022-26134
    - cve.2021-26084
    - attack.initial-access
    - attack.t1190
logsource:
    category: webserver
detection:
    keywords:
        - '%24%7B%28%23a%3D%40'
        - '${(#a=@'
        - '%24%7B%40java'
        - '${@java'
        - 'u0022java'
        - '%2F%24%7B%23'
        - '/${#'
        - 'new+java.'
        - 'getRuntime().exec('
        - 'getRuntime%28%29.exec%28'
    condition: keywords
falsepositives:
    - Legitimate apps
level: high
high
JexBoss Command Sequence
Detects suspicious command sequence that JexBoss
status test author Florian Roth (Nextron Systems) id 8ec2c8b4-557a-4121-b87c-5dfb3a602fae
view Sigma YAML 
title: JexBoss Command Sequence
id: 8ec2c8b4-557a-4121-b87c-5dfb3a602fae
status: test
description: Detects suspicious command sequence that JexBoss
references:
    - https://www.us-cert.gov/ncas/analysis-reports/AR18-312A
author: Florian Roth (Nextron Systems)
date: 2017-08-24
modified: 2025-11-22
tags:
    - attack.execution
    - attack.t1059.004
logsource:
    product: linux
detection:
    keywords:
        '|all':
            - 'bash -c /bin/bash'
            - '&/dev/tcp/'
    condition: keywords
falsepositives:
    - Unknown
level: high
high
Kaspersky Endpoint Security Stopped Via CommandLine - Linux
Detects execution of the Kaspersky init.d stop script on Linux systems either directly or via systemctl. This activity may indicate a manual interruption of the antivirus service by an administrator, or it could be a sign of potential tampering or evasion attempts by malicious actors.
status experimental author Milad Cheraghi id 36388120-b3f1-4ce9-b50b-280d9a7f4c04
view Sigma YAML 
title: Kaspersky Endpoint Security Stopped Via CommandLine - Linux
id: 36388120-b3f1-4ce9-b50b-280d9a7f4c04
status: experimental
description: |
  Detects execution of the Kaspersky init.d stop script on Linux systems either directly or via systemctl.
  This activity may indicate a manual interruption of the antivirus service by an administrator, or it could be a sign of potential tampering or evasion attempts by malicious actors.
references:
    - https://support.kaspersky.com/KES4Linux/12.0.0/en-US/197929.htm
author: Milad Cheraghi
date: 2025-10-18
tags:
    - attack.execution
    - attack.defense-impairment
    - attack.t1685
logsource:
    product: linux
    category: process_creation
detection:
    selection:
        Image|endswith:
            # Note: Add the list of shells allowed in your environment that can be used to run init.d scripts.
            - '/systemctl'
            - '/bash'
            - '/sh'
        CommandLine|contains|all:
            - 'stop'
            - 'kesl'
    condition: selection
falsepositives:
    - System administrator manually stopping Kaspersky services
level: high
high
Kavremover Dropped Binary LOLBIN Usage
Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.
status test author Nasreddine Bencherchali (Nextron Systems) id d047726b-c71c-4048-a99b-2e2f50dc107d
view Sigma YAML 
title: Kavremover Dropped Binary LOLBIN Usage
id: d047726b-c71c-4048-a99b-2e2f50dc107d
status: test
description: Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.
references:
    - https://nasbench.medium.com/lolbined-using-kaspersky-endpoint-security-kes-installer-to-execute-arbitrary-commands-1c999f1b7fea
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-01
tags:
    - attack.execution
    - attack.stealth
    - attack.t1127
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains: ' run run-cmd '
    filter_main_legit_parents:
        ParentImage|endswith:
            - '\cleanapi.exe' # When launched from KES installer
            - '\kavremover.exe' # When launched from kavremover.exe
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
high
Kerberos Manipulation
Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.
status test author Florian Roth (Nextron Systems) id f7644214-0eb0-4ace-9455-331ec4c09253
view Sigma YAML 
title: Kerberos Manipulation
id: f7644214-0eb0-4ace-9455-331ec4c09253
status: test
description: Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.
references:
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771
author: Florian Roth (Nextron Systems)
date: 2017-02-10
modified: 2024-01-16
tags:
    - attack.credential-access
    - attack.t1212
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID:
            - 675
            - 4768
            - 4769
            - 4771
        Status:
            - '0x9'
            - '0xA'
            - '0xB'
            - '0xF'
            - '0x10'
            - '0x11'
            - '0x13'
            - '0x14'
            - '0x1A'
            - '0x1F'
            - '0x21'
            - '0x22'
            - '0x23'
            - '0x24'
            - '0x26'
            - '0x27'
            - '0x28'
            - '0x29'
            - '0x2C'
            - '0x2D'
            - '0x2E'
            - '0x2F'
            - '0x31'
            - '0x32'
            - '0x3E'
            - '0x3F'
            - '0x40'
            - '0x41'
            - '0x43'
            - '0x44'
    condition: selection
falsepositives:
    - Faulty legacy applications
level: high
high
Kernel Memory Dump Via LiveKD
Detects execution of LiveKD with the "-m" flag to potentially dump the kernel memory
status test author Nasreddine Bencherchali (Nextron Systems) id c7746f1c-47d3-43d6-8c45-cd1e54b6b0a2
view Sigma YAML 
title: Kernel Memory Dump Via LiveKD
id: c7746f1c-47d3-43d6-8c45-cd1e54b6b0a2
status: test
description: Detects execution of LiveKD with the "-m" flag to potentially dump the kernel memory
references:
    - https://learn.microsoft.com/en-us/sysinternals/downloads/livekd
    - https://4sysops.com/archives/creating-a-complete-memory-dump-without-a-blue-screen/
    - https://kb.acronis.com/content/60892
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-16
modified: 2024-03-13
tags:
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\livekd.exe'
              - '\livekd64.exe'
        - OriginalFileName: 'livekd.exe'
    selection_cli:
        CommandLine|contains|windash: ' -m'
    condition: all of selection_*
falsepositives:
    - Unlikely in production environment
level: high
high
KrbRelayUp Service Installation
Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)
status test author Sittikorn S, Tim Shelton id e97d9903-53b2-41fc-8cb9-889ed4093e80
view Sigma YAML 
title: KrbRelayUp Service Installation
id: e97d9903-53b2-41fc-8cb9-889ed4093e80
status: test
description: Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)
references:
    - https://github.com/Dec0ne/KrbRelayUp
author: Sittikorn S, Tim Shelton
date: 2022-05-11
modified: 2022-10-05
tags:
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1543
logsource:
    product: windows
    service: system
detection:
    selection:
        EventID: 7045
        ServiceName: 'KrbSCM'
    condition: selection
falsepositives:
    - Unknown
level: high
high
LOL-Binary Copied From System Directory
Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations.
status test author Nasreddine Bencherchali (Nextron Systems) id f5d19838-41b5-476c-98d8-ba8af4929ee2
view Sigma YAML 
title: LOL-Binary Copied From System Directory
id: f5d19838-41b5-476c-98d8-ba8af4929ee2
related:
    - id: fff9d2b7-e11c-4a69-93d3-40ef66189767
      type: derived
status: test
description: |
    Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations.
references:
    - https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120
    - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html
    - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
    - https://www.virustotal.com/gui/file/14e722855605ba78dc1d21153f0e1be90e7528149f2cd2d7d6eba8ef27534bdc/behavior
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-29
modified: 2025-11-27
tags:
    - attack.stealth
    - attack.t1036.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_tools_cmd:
        Image|endswith: '\cmd.exe'
        CommandLine|contains: 'copy '
    selection_tools_pwsh:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        CommandLine|contains:
            - 'copy-item'
            - ' copy '
            - 'cpi '
            - ' cp '
    selection_tools_other:
        - Image|endswith:
              - '\robocopy.exe'
              - '\xcopy.exe'
        - OriginalFileName:
              - 'robocopy.exe'
              - 'XCOPY.EXE'
    selection_target_path:
        CommandLine|contains:
            - '\System32'
            - '\SysWOW64'
            - '\WinSxS'
    selection_target_lolbin:
        CommandLine|contains:
            # Note: add more binaries to increase coverage
            - '\bitsadmin.exe'
            - '\calc.exe'
            - '\certutil.exe'
            - '\cmdl32.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\rundll32.exe'
            - '\wscript.exe'
            - '\ie4uinit.exe'
    condition: 1 of selection_tools_* and all of selection_target_*
falsepositives:
    - Unknown
level: high
high
LSASS Access Detected via Attack Surface Reduction
Detects Access to LSASS Process
status test author Markus Neis id a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98
view Sigma YAML 
title: LSASS Access Detected via Attack Surface Reduction
id: a0a278fe-2c0e-4de2-ac3c-c68b08a9ba98
status: test
description: Detects Access to LSASS Process
references:
    - https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction
author: Markus Neis
date: 2018-08-26
modified: 2022-08-13
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    product: windows
    service: windefend
    definition: 'Requirements:Enabled Block credential stealing from the Windows local security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)'
detection:
    selection:
        EventID: 1121
        Path|endswith: '\lsass.exe'
    filter_thor:
        ProcessName|startswith: 'C:\Windows\Temp\asgard2-agent\'
        ProcessName|endswith:
            - '\thor64.exe'
            - '\thor.exe'
    filter_exact:
        ProcessName:
            - 'C:\Windows\System32\atiesrxx.exe'
            - 'C:\Windows\System32\CompatTelRunner.exe'
            - 'C:\Windows\System32\msiexec.exe'
            - 'C:\Windows\System32\nvwmi64.exe'
            - 'C:\Windows\System32\svchost.exe'
            - 'C:\Windows\System32\Taskmgr.exe'
            - 'C:\Windows\System32\wbem\WmiPrvSE.exe'
            - 'C:\Windows\SysWOW64\msiexec.exe'
    filter_begins:
        ProcessName|startswith:
            - 'C:\Windows\System32\DriverStore\'
            - 'C:\WINDOWS\Installer\'
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
    condition: selection and not 1 of filter_*
falsepositives:
    - Google Chrome GoogleUpdate.exe
    - Some Taskmgr.exe related activity
level: high
high
LSASS Access From Potentially White-Listed Processes
Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference
status test author Florian Roth (Nextron Systems) id 4be8b654-0c01-4c9d-a10c-6b28467fc651
view Sigma YAML 
title: LSASS Access From Potentially White-Listed Processes
id: 4be8b654-0c01-4c9d-a10c-6b28467fc651
status: test
description: |
    Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference
references:
    - https://twitter.com/_xpn_/status/1491557187168178176
    - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz
    - https://twitter.com/mrd0x/status/1460597833917251595
author: Florian Roth (Nextron Systems)
date: 2022-02-10
modified: 2023-11-29
tags:
    - attack.credential-access
    - attack.t1003.001
    - attack.s0002
logsource:
    category: process_access
    product: windows
detection:
    selection:
        TargetImage|endswith: '\lsass.exe'
        SourceImage|endswith:
            - '\TrolleyExpress.exe'  # Citrix
            - '\ProcessDump.exe'     # Cisco Jabber
            - '\dump64.exe'          # Visual Studio
        GrantedAccess|endswith:
            - '10'
            - '30'
            - '50'
            - '70'
            - '90'
            - 'B0'
            - 'D0'
            - 'F0'
            - '18'
            - '38'
            - '58'
            - '78'
            - '98'
            - 'B8'
            - 'D8'
            - 'F8'
            - '1A'
            - '3A'
            - '5A'
            - '7A'
            - '9A'
            - 'BA'
            - 'DA'
            - 'FA'
            - '0x14C2'  # https://github.com/b4rtik/ATPMiniDump/blob/76304f93b390af3bb66e4f451ca16562a479bdc9/ATPMiniDump/ATPMiniDump.c
            - 'FF'
    condition: selection
falsepositives:
    - Unknown
level: high
high
LSASS Dump Keyword In CommandLine
Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process.
status test author E.M. Anhaus, Tony Lambert, oscd.community, Nasreddine Bencherchali (Nextron Systems) id ffa6861c-4461-4f59-8a41-578c39f3f23e
view Sigma YAML 
title: LSASS Dump Keyword In CommandLine
id: ffa6861c-4461-4f59-8a41-578c39f3f23e
related:
    - id: a5a2d357-1ab8-4675-a967-ef9990a59391
      type: derived
status: test
description: |
    Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process.
references:
    - https://github.com/Hackndo/lsassy
    - https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf
    - https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml
    - https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/
    - https://github.com/helpsystems/nanodump
    - https://github.com/CCob/MirrorDump
author: E.M. Anhaus, Tony Lambert, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-10-24
modified: 2023-08-29
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - CommandLine|contains:
              - 'lsass.dmp'
              - 'lsass.zip'
              - 'lsass.rar'
              - 'Andrew.dmp'
              - 'Coredump.dmp'
              - 'NotLSASS.zip'  # https://github.com/CCob/MirrorDump
              - 'lsass_2'  # default format of procdump v9.0 is lsass_YYMMDD_HHmmss.dmp
              - 'lsassdump'
              - 'lsassdmp'
        - CommandLine|contains|all:
              - 'lsass'
              - '.dmp'
        - CommandLine|contains|all:
              - 'SQLDmpr'
              - '.mdmp'
        - CommandLine|contains|all:
              - 'nanodump'
              - '.dmp'
    condition: selection
falsepositives:
    - Unlikely
level: high
high
LSASS Memory Access by Tool With Dump Keyword In Name
Detects LSASS process access requests from a source process with the "dump" keyword in its image name.
status test author Florian Roth (Nextron Systems) id 9bd012ee-0dff-44d7-84a0-aa698cfd87a3
view Sigma YAML 
title: LSASS Memory Access by Tool With Dump Keyword In Name
id: 9bd012ee-0dff-44d7-84a0-aa698cfd87a3
status: test
description: Detects LSASS process access requests from a source process with the "dump" keyword in its image name.
references:
    - https://twitter.com/_xpn_/status/1491557187168178176
    - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz
author: Florian Roth (Nextron Systems)
date: 2022-02-10
modified: 2023-11-29
tags:
    - attack.credential-access
    - attack.t1003.001
    - attack.s0002
logsource:
    category: process_access
    product: windows
detection:
    selection:
        TargetImage|endswith: '\lsass.exe'
        SourceImage|contains: 'dump'
        GrantedAccess|endswith:
            - '10'
            - '30'
            - '50'
            - '70'
            - '90'
            - 'B0'
            - 'D0'
            - 'F0'
            - '18'
            - '38'
            - '58'
            - '78'
            - '98'
            - 'B8'
            - 'D8'
            - 'F8'
            - '1A'
            - '3A'
            - '5A'
            - '7A'
            - '9A'
            - 'BA'
            - 'DA'
            - 'FA'
            - '0x14C2'  # https://github.com/b4rtik/ATPMiniDump/blob/76304f93b390af3bb66e4f451ca16562a479bdc9/ATPMiniDump/ATPMiniDump.c
            - 'FF'
    condition: selection
falsepositives:
    - Rare programs that contain the word dump in their name and access lsass
level: high
high
LSASS Process Crashed - Application
Detects Windows error reporting events where the process that crashed is LSASS (Local Security Authority Subsystem Service). This could be the cause of a provoked crash by techniques such as Lsass-Shtinkering to dump credentials.
status experimental author Nasreddine Bencherchali (Nextron Systems) id a18e0862-127b-43ca-be12-1a542c75c7c5
view Sigma YAML 
title: LSASS Process Crashed - Application
id: a18e0862-127b-43ca-be12-1a542c75c7c5
status: experimental
description: |
    Detects Windows error reporting events where the process that crashed is LSASS (Local Security Authority Subsystem Service).
    This could be the cause of a provoked crash by techniques such as Lsass-Shtinkering to dump credentials.
references:
    - https://github.com/deepinstinct/Lsass-Shtinkering
    - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-07
modified: 2025-12-03
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    product: windows
    service: application
detection:
    selection:
        Provider_Name: 'Application Error'
        EventID: 1000
        AppName: 'lsass.exe'
        ExceptionCode: 'c0000001' # STATUS_UNSUCCESSFUL
    condition: selection
falsepositives:
    - Rare legitimate crashing of the lsass process
level: high
high
LSASS Process Dump Artefact In CrashDumps Folder
Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.
status test author @pbssubhash id 6902955a-01b7-432c-b32a-6f5f81d8f625
view Sigma YAML 
title: LSASS Process Dump Artefact In CrashDumps Folder
id: 6902955a-01b7-432c-b32a-6f5f81d8f625
status: test
description: Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.
references:
    - https://github.com/deepinstinct/Lsass-Shtinkering
    - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf
author: '@pbssubhash'
date: 2022-12-08
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|startswith: 'C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps\'
        TargetFilename|contains: 'lsass.exe.'
        TargetFilename|endswith: '.dmp'
    condition: selection
falsepositives:
    - Rare legitimate dump of the process by the operating system due to a crash of lsass
level: high
high
LSASS Process Memory Dump Creation Via Taskmgr.EXE
Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager.
status test author Swachchhanda Shrawan Poudel id 69ca12af-119d-44ed-b50f-a47af0ebc364
view Sigma YAML 
title: LSASS Process Memory Dump Creation Via Taskmgr.EXE
id: 69ca12af-119d-44ed-b50f-a47af0ebc364
status: test
description: Detects the creation of an "lsass.dmp" file by the taskmgr process. This indicates a manual dumping of the LSASS.exe process memory using Windows Task Manager.
author: Swachchhanda Shrawan Poudel
date: 2023-10-19
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1003.001/T1003.001.md#L1
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith:
            - ':\Windows\system32\taskmgr.exe'
            - ':\Windows\SysWOW64\taskmgr.exe'
        TargetFilename|contains|all:
            - '\AppData\Local\Temp\'
            - '\lsass'
            - '.DMP'
    condition: selection
falsepositives:
    - Rare case of troubleshooting by an administrator or support that has to be investigated regardless
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_taskmgr_lsass_dump/info.yml
high
LSASS Process Memory Dump Files
Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials.
status test author Florian Roth (Nextron Systems) id a5a2d357-1ab8-4675-a967-ef9990a59391
view Sigma YAML 
title: LSASS Process Memory Dump Files
id: a5a2d357-1ab8-4675-a967-ef9990a59391
related:
    - id: db2110f3-479d-42a6-94fb-d35bc1e46492
      type: obsolete
    - id: 5e3d3601-0662-4af0-b1d2-36a05e90c40a
      type: obsolete
status: test
description: Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials.
references:
    - https://www.google.com/search?q=procdump+lsass
    - https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf
    - https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml
    - https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/
    - https://github.com/helpsystems/nanodump
    - https://github.com/CCob/MirrorDump
    - https://github.com/safedv/RustiveDump/blob/1a9b026b477587becfb62df9677cede619d42030/src/main.rs#L35
    - https://github.com/ricardojoserf/NativeDump/blob/01d8cd17f31f51f5955a38e85cd3c83a17596175/NativeDump/Program.cs#L258
author: Florian Roth (Nextron Systems)
date: 2021-11-15
modified: 2024-10-08
tags:
    - attack.credential-access
    - attack.t1003.001
logsource:
    product: windows
    category: file_event
detection:
    selection_1:
        TargetFilename|endswith:
            - '\Andrew.dmp'
            - '\Coredump.dmp'
            - '\lsass.dmp'
            - '\lsass.rar'
            - '\lsass.zip'
            - '\NotLSASS.zip'  # https://github.com/CCob/MirrorDump
            - '\PPLBlade.dmp'  # https://github.com/tastypepperoni/PPLBlade
            - '\rustive.dmp' # https://github.com/safedv/RustiveDump/blob/main/src/main.rs#L35
    selection_2:
        TargetFilename|contains:
            - '\lsass_2'  # default format of procdump v9.0 is lsass_YYMMDD_HHmmss.dmp
            - '\lsassdmp'
            - '\lsassdump'
    selection_3:
        TargetFilename|contains|all:
            - '\lsass'
            - '.dmp'
    selection_4:
        TargetFilename|contains: 'SQLDmpr'
        TargetFilename|endswith: '.mdmp'
    selection_5:
        TargetFilename|contains:
            - '\nanodump'
            - '\proc_' # NativeDump pattern https://github.com/ricardojoserf/NativeDump/blob/01d8cd17f31f51f5955a38e85cd3c83a17596175/NativeDump/Program.cs#L258
        TargetFilename|endswith: '.dmp'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high
high
LSASS Process Reconnaissance Via Findstr.EXE
Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID
status test author Florian Roth (Nextron Systems) id fe63010f-8823-4864-a96b-a7b4a0f7b929
view Sigma YAML 
title: LSASS Process Reconnaissance Via Findstr.EXE
id: fe63010f-8823-4864-a96b-a7b4a0f7b929
status: test
description: Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID
references:
    - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1
author: Florian Roth (Nextron Systems)
date: 2022-08-12
modified: 2024-06-04
tags:
    - attack.credential-access
    - attack.t1552.006
logsource:
    category: process_creation
    product: windows
detection:
    selection_findstr_img:
        - Image|endswith:
              - '\find.exe'
              - '\findstr.exe'
        - OriginalFileName:
              - 'FIND.EXE'
              - 'FINDSTR.EXE'
    selection_findstr_cli:
        CommandLine|contains: 'lsass'
    selection_special:
        CommandLine|contains|windash:
            - ' /i "lsass'
            - ' /i lsass.exe'
            - 'findstr "lsass'
            - 'findstr lsass'
            - 'findstr.exe "lsass'
            - 'findstr.exe lsass'
    condition: all of selection_findstr_* or selection_special
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_lsass/info.yml
high
Legitimate Application Dropped Archive
Detects programs on a Windows system that should not write an archive to disk
status test author frack113, Florian Roth id 654fcc6d-840d-4844-9b07-2c3300e54a26
view Sigma YAML 
title: Legitimate Application Dropped Archive
id: 654fcc6d-840d-4844-9b07-2c3300e54a26
status: test
description: Detects programs on a Windows system that should not write an archive to disk
references:
    - https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326
author: frack113, Florian Roth
date: 2022-08-21
tags:
    - attack.stealth
    - attack.t1218
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith:
            # Microsoft Office Programs Dropping Executables
            - \winword.exe
            - \excel.exe
            - \powerpnt.exe
            - \msaccess.exe
            - \mspub.exe
            - \eqnedt32.exe
            - \visio.exe
            - \wordpad.exe
            - \wordview.exe
            # LOLBINs that can be used to download executables
            - \certutil.exe
            - \certoc.exe
            - \CertReq.exe
            # - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env)
            - \Desktopimgdownldr.exe
            - \esentutl.exe
            # - \expand.exe
            - \finger.exe
            # Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name)
            - \notepad.exe
            - \AcroRd32.exe
            - \RdrCEF.exe
            - \mshta.exe
            - \hh.exe
        TargetFilename|endswith:
            - '.zip'
            - '.rar'
            - '.7z'
            - '.diagcab'
            - '.appx'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Legitimate Application Dropped Executable
Detects programs on a Windows system that should not write executables to disk
status test author frack113, Florian Roth (Nextron Systems) id f0540f7e-2db3-4432-b9e0-3965486744bc
view Sigma YAML 
title: Legitimate Application Dropped Executable
id: f0540f7e-2db3-4432-b9e0-3965486744bc
status: test
description: Detects programs on a Windows system that should not write executables to disk
references:
    - https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326
author: frack113, Florian Roth (Nextron Systems)
date: 2022-08-21
modified: 2023-06-22
tags:
    - attack.stealth
    - attack.t1218
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith:
            # Microsoft Office Programs Dropping Executables / Rest of the apps are covered in: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
            - '\eqnedt32.exe'
            - '\wordpad.exe'
            - '\wordview.exe'
            # LOLBINs that can be used to download executables
            - '\certutil.exe'
            - '\certoc.exe'
            - '\CertReq.exe'
            # - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env)
            - '\Desktopimgdownldr.exe'
            - '\esentutl.exe'
            # - \expand.exe
            - '\mshta.exe'
            # Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name)
            - '\AcroRd32.exe'
            - '\RdrCEF.exe'
            - '\hh.exe'
            - '\finger.exe'
        TargetFilename|endswith:
            - '.exe'
            - '.dll'
            - '.ocx'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Legitimate Application Dropped Script
Detects programs on a Windows system that should not write scripts to disk
status test author frack113, Florian Roth (Nextron Systems) id 7d604714-e071-49ff-8726-edeb95a70679
view Sigma YAML 
title: Legitimate Application Dropped Script
id: 7d604714-e071-49ff-8726-edeb95a70679
status: test
description: Detects programs on a Windows system that should not write scripts to disk
references:
    - https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326
author: frack113, Florian Roth (Nextron Systems)
date: 2022-08-21
modified: 2023-06-22
tags:
    - attack.stealth
    - attack.t1218
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith:
            # Microsoft Office Programs Dropping Executables / Rest of the apps are covered in: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
            - \eqnedt32.exe
            - \wordpad.exe
            - \wordview.exe
            # LOLBINs that can be used to download executables
            - \certutil.exe
            - \certoc.exe
            - \CertReq.exe
            # - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env)
            - \Desktopimgdownldr.exe
            - \esentutl.exe
            # - \expand.exe
            - '\mshta.exe'
            # Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name)
            - '\AcroRd32.exe'
            - '\RdrCEF.exe'
            - '\hh.exe'
            - '\finger.exe'
        TargetFilename|endswith:
            - '.ps1'
            - '.bat'
            - '.vbs'
            - '.scf'
            - '.wsf'
            - '.wsh'
    condition: selection
falsepositives:
    - Unknown
level: high
Showing 401-450 of 1,417
Prev 9 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin