Sigma detection rules

Home/Sigma rules

Sigma

14 rules indexed · SIEM-agnostic detection content

Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.

Severity critical high medium low all severities

◈

Detection rules

14 shown of 14

high

Flash Player Update from Suspicious Location

Detects a flashplayer update from an unofficial location

status test author Florian Roth (Nextron Systems) id 4922a5dd-6743-4fc2-8e81-144374280997

view Sigma YAML

title: Flash Player Update from Suspicious Location
id: 4922a5dd-6743-4fc2-8e81-144374280997
status: test
description: Detects a flashplayer update from an unofficial location
references:
    - https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb
author: Florian Roth (Nextron Systems)
date: 2017-10-25
modified: 2022-08-08
tags:
    - attack.initial-access
    - attack.stealth
    - attack.t1189
    - attack.execution
    - attack.t1204.002
    - attack.t1036.005
logsource:
    category: proxy
detection:
    selection:
        - c-uri|contains: '/flash_install.php'
        - c-uri|endswith: '/install_flash_player.exe'
    filter:
        cs-host|endswith: '.adobe.com'
    condition: selection and not filter
falsepositives:
    - Unknown flash download locations
level: high

high

Potential MsiExec Masquerading

Detects the execution of msiexec.exe from an uncommon directory

status test author Florian Roth (Nextron Systems) id e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144

view Sigma YAML

title: Potential MsiExec Masquerading
id: e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144
status: test
description: Detects the execution of msiexec.exe from an uncommon directory
references:
    - https://twitter.com/200_okay_/status/1194765831911215104
author: Florian Roth (Nextron Systems)
date: 2019-11-14
modified: 2023-02-21
tags:
    - attack.stealth
    - attack.t1036.005
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith: '\msiexec.exe'
        - OriginalFileName: '\msiexec.exe'
    filter:
        Image|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\WinSxS\'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high

high

Scheduled Task Creation Masquerading as System Processes

Detects the creation of scheduled tasks that involve system processes, which may indicate malicious actors masquerading as or abusing these processes to execute payloads or maintain persistence.

status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) id 9f8573c9-22b4-40e3-89c1-72bc2b8d49ab

view Sigma YAML

title: Scheduled Task Creation Masquerading as System Processes
id: 9f8573c9-22b4-40e3-89c1-72bc2b8d49ab
status: experimental
description: Detects the creation of scheduled tasks that involve system processes, which may indicate malicious actors masquerading as or abusing these processes to execute payloads or maintain persistence.
references:
    - https://tria.ge/241015-l98snsyeje/behavioral2
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-02-05
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.stealth
    - attack.t1053.005
    - attack.t1036.004
    - attack.t1036.005
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\schtasks.exe'
        - OriginalFileName: 'schtasks.exe'
    selection_cli:
        CommandLine|contains|windash: ' /create '
        CommandLine|contains:
            - ' audiodg'
            - ' conhost'
            - ' dwm.exe'
            - ' explorer'
            - ' lsass'
            - ' lsm'
            - ' mmc'
            - ' msiexec'
            - ' regsvr32'
            - ' rundll32'
            - ' services'
            - ' spoolsv'
            - ' svchost'
            - ' taskeng'
            - ' taskhost'
            - ' wininit'
            - ' winlogon'
    condition: all of selection_*
falsepositives:
    - Legitimate system administration tasks scheduling trusted system processes.
level: high

high

Suspicious Process Masquerading As SvcHost.EXE

Detects a suspicious process that is masquerading as the legitimate "svchost.exe" by naming its binary "svchost.exe" and executing from an uncommon location. Adversaries often disguise their malicious binaries by naming them after legitimate system processes like "svchost.exe" to evade detection.

status test author Swachchhanda Shrawan Poudel id be58d2e2-06c8-4f58-b666-b99f6dc3b6cd

view Sigma YAML

title: Suspicious Process Masquerading As SvcHost.EXE
id: be58d2e2-06c8-4f58-b666-b99f6dc3b6cd
related:
    - id: 01d2e2a1-5f09-44f7-9fc1-24faa7479b6d
      type: similar
    - id: e4a6b256-3e47-40fc-89d2-7a477edd6915
      type: similar
status: test
description: |
    Detects a suspicious process that is masquerading as the legitimate "svchost.exe" by naming its binary "svchost.exe" and executing from an uncommon location.
    Adversaries often disguise their malicious binaries by naming them after legitimate system processes like "svchost.exe" to evade detection.
references:
    - https://tria.ge/240731-jh4crsycnb/behavioral2
    - https://redcanary.com/blog/threat-detection/process-masquerading/
author: Swachchhanda Shrawan Poudel
date: 2024-08-07
tags:
    - attack.stealth
    - attack.t1036.005
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\svchost.exe'
    filter_main_img_location:
        Image:
            - 'C:\Windows\System32\svchost.exe'
            - 'C:\Windows\SysWOW64\svchost.exe'
    filter_main_ofn:
        OriginalFileName: 'svchost.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unlikely
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_svchost_masqueraded_execution/info.yml

high

Uncommon Svchost Command Line Parameter

Detects instances of svchost.exe running with an unusual or uncommon command line parameter by excluding known legitimate or common patterns. This could point at a file masquerading as svchost, a process injection, or hollowing of a legitimate svchost instance.

status experimental author Liran Ravich id f17211f1-1f24-4d0c-829f-31e28dc93cdd

view Sigma YAML

title: Uncommon Svchost Command Line Parameter
id: f17211f1-1f24-4d0c-829f-31e28dc93cdd
status: experimental
description: |
    Detects instances of svchost.exe running with an unusual or uncommon command line parameter by excluding known legitimate or common patterns.
    This could point at a file masquerading as svchost, a process injection, or hollowing of a legitimate svchost instance.
references:
    - https://cardinalops.com/blog/the-art-of-anomaly-hunting-patterns-detection/
    - https://www.security.com/threat-intelligence/blackbyte-exbyte-ransomware
    - https://cloud.google.com/blog/topics/threat-intelligence/apt41-initiates-global-intrusion-campaign-using-multiple-exploits/
    - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf
author: Liran Ravich
date: 2025-11-14
modified: 2026-03-23
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1036.005
    - attack.t1055
    - attack.t1055.012
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        # Example of command to simulate: "C:\Windows\System32\svchost.exe" calc.exe
        Image|endswith: '\svchost.exe'
    filter_main_flags:
        CommandLine|re: '-k\s\w{1,64}(?:\s?(?:-p|-s))?'
    filter_main_empty:
        CommandLine: ''
    filter_main_null:
        CommandLine: null
    filter_optional_defender:
        ParentImage|endswith: '\MsMpEng.exe'
        CommandLine|contains: 'svchost.exe'
    filter_optional_mrt:
        ParentImage|endswith: '\MRT.exe'
        CommandLine: 'svchost.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unlikely
level: high

medium

Creation Of Pod In System Namespace

Detects deployments of pods within the kube-system namespace, which could be intended to imitate system pods. System pods, created by controllers such as Deployments or DaemonSets have random suffixes in their names. Attackers can use this fact and name their backdoor pods as if they were created by these controllers to avoid detection. Deployment of such a backdoor container e.g. named kube-proxy-bv61v, could be attempted in the kube-system namespace alongside the other administrative containers.

status test author Leo Tsaousis (@laripping) id a80d927d-ac6e-443f-a867-e8d6e3897318

view Sigma YAML

title: Creation Of Pod In System Namespace
id: a80d927d-ac6e-443f-a867-e8d6e3897318
status: test
description: |
    Detects deployments of pods within the kube-system namespace, which could be intended to imitate system pods.
    System pods, created by controllers such as Deployments or DaemonSets have random suffixes in their names.
    Attackers can use this fact and name their backdoor pods as if they were created by these controllers to avoid detection.
    Deployment of such a backdoor container e.g. named kube-proxy-bv61v, could be attempted in the kube-system namespace alongside the other administrative containers.
references:
    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/Pod%20or%20container%20name%20similarily/
author: Leo Tsaousis (@laripping)
date: 2024-03-26
tags:
    - attack.stealth
    - attack.t1036.005
logsource:
    category: application
    product: kubernetes
    service: audit
detection:
    selection:
        verb: 'create'
        objectRef.resource: 'pods'
        objectRef.namespace: kube-system
    condition: selection
falsepositives:
    - System components such as daemon-set-controller and kube-scheduler also create pods in the kube-system namespace
level: medium

medium

Files With System DLL Name In Unsuspected Locations

Detects the creation of a file with the ".dll" extension that has the name of a System DLL in uncommon or unsuspected locations. (Outisde of "System32", "SysWOW64", etc.). It is highly recommended to perform an initial baseline before using this rule in production.

status test author Nasreddine Bencherchali (Nextron Systems) id 13c02350-4177-4e45-ac17-cf7ca628ff5e

view Sigma YAML

title: Files With System DLL Name In Unsuspected Locations
id: 13c02350-4177-4e45-ac17-cf7ca628ff5e
status: test
description: |
    Detects the creation of a file with the ".dll" extension that has the name of a System DLL in uncommon or unsuspected locations. (Outisde of "System32", "SysWOW64", etc.).
    It is highly recommended to perform an initial baseline before using this rule in production.
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-06-24
tags:
    - attack.stealth
    - attack.t1036.005
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith:
            # Note: Add more System DLL that can be abused for DLL sideloading to increase coverage
            - '\secur32.dll'
            - '\tdh.dll'
    filter_main_generic:
        # Note: It is recommended to use a more robust filter instead of this generic one, to avoid false negatives.
        TargetFilename|contains:
            # - '\SystemRoot\System32\'
            - 'C:\$WINDOWS.~BT\'
            - 'C:\$WinREAgent\'
            - 'C:\Windows\SoftwareDistribution\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\WinSxS\'
            - 'C:\Windows\uus\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Third party software might bundle specific versions of system DLLs.
# Note: Upgrade to high after an initial baseline to your environement.
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_creation_system_dll_files/info.yml

medium

Files With System Process Name In Unsuspected Locations

Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.). It is highly recommended to perform an initial baseline before using this rule in production.

status test author Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems) id d5866ddf-ce8f-4aea-b28e-d96485a20d3d

view Sigma YAML

title: Files With System Process Name In Unsuspected Locations
id: d5866ddf-ce8f-4aea-b28e-d96485a20d3d
status: test
description: |
    Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).
    It is highly recommended to perform an initial baseline before using this rule in production.
references:
    - Internal Research
author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
date: 2020-05-26
modified: 2026-02-04
tags:
    - attack.stealth
    - attack.t1036.005
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith:
            - '\AtBroker.exe'
            - '\audiodg.exe'
            - '\backgroundTaskHost.exe'
            - '\bcdedit.exe'
            - '\bitsadmin.exe'
            - '\cmdl32.exe'
            - '\cmstp.exe'
            - '\conhost.exe'
            - '\csrss.exe'
            - '\dasHost.exe'
            - '\dfrgui.exe'
            - '\dllhost.exe'
            - '\dwm.exe'
            - '\eventcreate.exe'
            - '\eventvwr.exe'
            - '\explorer.exe'
            - '\extrac32.exe'
            - '\fontdrvhost.exe'
            - '\fsquirt.exe' # was seen used by sidewinder APT - https://securelist.com/sidewinder-apt/114089/
            - '\ipconfig.exe'
            - '\iscsicli.exe'
            - '\iscsicpl.exe'
            - '\logman.exe'
            - '\LogonUI.exe'
            - '\LsaIso.exe'
            - '\lsass.exe'
            - '\lsm.exe'
            - '\msiexec.exe'
            - '\msinfo32.exe'
            - '\mstsc.exe'
            - '\nbtstat.exe'
            - '\odbcconf.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\regini.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\RuntimeBroker.exe'
            - '\schtasks.exe'
            - '\SearchFilterHost.exe'
            - '\SearchIndexer.exe'
            - '\SearchProtocolHost.exe'
            - '\SecurityHealthService.exe'
            - '\SecurityHealthSystray.exe'
            - '\services.exe'
            - '\ShellAppRuntime.exe'
            - '\sihost.exe'
            - '\smartscreen.exe'
            - '\smss.exe'
            - '\spoolsv.exe'
            - '\svchost.exe'
            - '\SystemSettingsBroker.exe'
            - '\taskhost.exe'
            - '\taskhostw.exe'
            - '\Taskmgr.exe'
            - '\TiWorker.exe'
            - '\vssadmin.exe'
            - '\w32tm.exe'
            - '\WerFault.exe'
            - '\WerFaultSecure.exe'
            - '\wermgr.exe'
            - '\wevtutil.exe'
            - '\wininit.exe'
            - '\winlogon.exe'
            - '\winrshost.exe'
            - '\WinRTNetMUAHostServer.exe'
            - '\wlanext.exe'
            - '\wlrmdr.exe'
            - '\WmiPrvSE.exe'
            - '\wslhost.exe'
            - '\WSReset.exe'
            - '\WUDFHost.exe'
            - '\WWAHost.exe'
    filter_main_generic:
        # Note: It is recommended to use a more robust filter instead of this generic one, to avoid false negatives.
        TargetFilename|contains:
            # - '\SystemRoot\System32\'
            - 'C:\$WINDOWS.~BT\'
            - 'C:\$WinREAgent\'
            - 'C:\Windows\SoftwareDistribution\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
            - 'C:\Windows\WinSxS\'
            - 'C:\Windows\uus\'
    filter_main_tiworker:
        Image|endswith:
            - '\TiWorker.exe'
            - '\wuaucltcore.exe'
        TargetFilename|startswith: 'C:\Windows\Temp\'
    filter_main_svchost:
        Image|endswith:
            - 'C:\Windows\system32\svchost.exe'
            - 'C:\Windows\SysWOW64\svchost.exe'
        TargetFilename|contains:
            - 'C:\Program Files\WindowsApps\'
            - 'C:\Program Files (x86)\WindowsApps\'
            - '\AppData\Local\Microsoft\WindowsApps\'
    filter_main_wuauclt:
        Image:
            - 'C:\Windows\System32\wuauclt.exe'
            - 'C:\Windows\SysWOW64\wuauclt.exe'
            - 'C:\Windows\UUS\arm64\wuaucltcore.exe'
    filter_main_explorer:
        TargetFilename|endswith: 'C:\Windows\explorer.exe'
    filter_main_msiexec:
        # This filter handles system processes who are updated/installed using misexec.
        Image|endswith:
            - 'C:\WINDOWS\system32\msiexec.exe'
            - 'C:\WINDOWS\SysWOW64\msiexec.exe'
        # Add more processes if you find them or simply filter msiexec on its own. If the list grows big
        TargetFilename|startswith:
            - 'C:\Program Files\PowerShell\7\pwsh.exe'
            - 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
            - 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview\'
    filter_main_healtray:
        TargetFilename|contains: 'C:\Windows\System32\SecurityHealth\'
        TargetFilename|endswith: '\SecurityHealthSystray.exe'
        Image|endswith: '\SecurityHealthSetup.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - System processes copied outside their default folders for testing purposes
    - Third party software naming their software with the same names as the processes mentioned here
# Note: Upgrade to high after an initial baseline to your environement.
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_creation_system_file/info.yml

medium

Potential Binary Impersonating Sysinternals Tools

Detects binaries that use the same name as legitimate sysinternals tools to evade detection. This rule looks for the execution of binaries that are named similarly to Sysinternals tools. Adversary may rename their malicious tools as legitimate Sysinternals tools to evade detection.

status test author frack113, Swachchhanda Shrawan Poudel (Nextron Systems) id 7cce6fc8-a07f-4d84-a53e-96e1879843c9

view Sigma YAML

title: Potential Binary Impersonating Sysinternals Tools
id: 7cce6fc8-a07f-4d84-a53e-96e1879843c9
status: test
description: |
    Detects binaries that use the same name as legitimate sysinternals tools to evade detection.
    This rule looks for the execution of binaries that are named similarly to Sysinternals tools.
    Adversary may rename their malicious tools as legitimate Sysinternals tools to evade detection.
references:
    - https://learn.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite
author: frack113, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2021-12-20
modified: 2025-04-12
tags:
    - attack.execution
    - attack.stealth
    - attack.t1218
    - attack.t1202
    - attack.t1036.005
logsource:
    category: process_creation
    product: windows
detection:
    selection_exe:
        Image|endswith:
            - '\accesschk.exe'
            - '\accesschk64.exe'
            - '\AccessEnum.exe'
            - '\ADExplorer.exe'
            - '\ADExplorer64.exe'
            - '\ADInsight.exe'
            - '\ADInsight64.exe'
            - '\adrestore.exe'
            - '\adrestore64.exe'
            - '\Autologon.exe'
            - '\Autologon64.exe'
            - '\Autoruns.exe'
            - '\Autoruns64.exe'
            - '\autorunsc.exe'
            - '\autorunsc64.exe'
            - '\Bginfo.exe'
            - '\Bginfo64.exe'
            - '\Cacheset.exe'
            - '\Cacheset64.exe'
            - '\Clockres.exe'
            - '\Clockres64.exe'
            - '\Contig.exe'
            - '\Contig64.exe'
            - '\Coreinfo.exe'
            - '\Coreinfo64.exe'
            - '\CPUSTRES.EXE'
            - '\CPUSTRES64.EXE'
            - '\ctrl2cap.exe'
            - '\Dbgview.exe'
            - '\dbgview64.exe'
            - '\Desktops.exe'
            - '\Desktops64.exe'
            - '\disk2vhd.exe'
            - '\disk2vhd64.exe'
            - '\diskext.exe'
            - '\diskext64.exe'
            - '\Diskmon.exe'
            - '\Diskmon64.exe'
            - '\DiskView.exe'
            - '\DiskView64.exe'
            - '\du.exe'
            - '\du64.exe'
            - '\efsdump.exe'
            - '\FindLinks.exe'
            - '\FindLinks64.exe'
            - '\handle.exe'
            - '\handle64.exe'
            - '\hex2dec.exe'
            - '\hex2dec64.exe'
            - '\junction.exe'
            - '\junction64.exe'
            - '\ldmdump.exe'
            - '\listdlls.exe'
            - '\listdlls64.exe'
            - '\livekd.exe'
            - '\livekd64.exe'
            - '\loadOrd.exe'
            - '\loadOrd64.exe'
            - '\loadOrdC.exe'
            - '\loadOrdC64.exe'
            - '\logonsessions.exe'
            - '\logonsessions64.exe'
            - '\movefile.exe'
            - '\movefile64.exe'
            - '\notmyfault.exe'
            - '\notmyfault64.exe'
            - '\notmyfaultc.exe'
            - '\notmyfaultc64.exe'
            - '\ntfsinfo.exe'
            - '\ntfsinfo64.exe'
            - '\pendmoves.exe'
            - '\pendmoves64.exe'
            - '\pipelist.exe'
            - '\pipelist64.exe'
            - '\portmon.exe'
            - '\procdump.exe'
            - '\procdump64.exe'
            - '\procexp.exe'
            - '\procexp64.exe'
            - '\Procmon.exe'
            - '\Procmon64.exe'
            - '\psExec.exe'
            - '\psExec64.exe'
            - '\psfile.exe'
            - '\psfile64.exe'
            - '\psGetsid.exe'
            - '\psGetsid64.exe'
            - '\psInfo.exe'
            - '\psInfo64.exe'
            - '\pskill.exe'
            - '\pskill64.exe'
            - '\pslist.exe'
            - '\pslist64.exe'
            - '\psLoggedon.exe'
            - '\psLoggedon64.exe'
            - '\psloglist.exe'
            - '\psloglist64.exe'
            - '\pspasswd.exe'
            - '\pspasswd64.exe'
            - '\psping.exe'
            - '\psping64.exe'
            - '\psService.exe'
            - '\psService64.exe'
            - '\psshutdown.exe'
            - '\psshutdown64.exe'
            - '\pssuspend.exe'
            - '\pssuspend64.exe'
            - '\RAMMap.exe'
            - '\RAMMap64.exe'
            - '\RDCMan.exe'
            - '\RegDelNull.exe'
            - '\RegDelNull64.exe'
            - '\regjump.exe'
            - '\ru.exe'
            - '\ru64.exe'
            - '\sdelete.exe'
            - '\sdelete64.exe'
            - '\ShareEnum.exe'
            - '\ShareEnum64.exe'
            - '\shellRunas.exe'
            - '\sigcheck.exe'
            - '\sigcheck64.exe'
            - '\streams.exe'
            - '\streams64.exe'
            - '\strings.exe'
            - '\strings64.exe'
            - '\sync.exe'
            - '\sync64.exe'
            - '\Sysmon.exe'
            - '\Sysmon64.exe'
            - '\tcpvcon.exe'
            - '\tcpvcon64.exe'
            - '\tcpview.exe'
            - '\tcpview64.exe'
            - '\Testlimit.exe'
            - '\Testlimit64.exe'
            - '\vmmap.exe'
            - '\vmmap64.exe'
            - '\Volumeid.exe'
            - '\Volumeid64.exe'
            - '\whois.exe'
            - '\whois64.exe'
            - '\Winobj.exe'
            - '\Winobj64.exe'
            - '\ZoomIt.exe'
            - '\ZoomIt64.exe'
    selection_arm64:
        Image|endswith:
            - '\accesschk64a.exe'
            - '\ADExplorer64a.exe'
            - '\ADInsight64a.exe'
            - '\adrestore64a.exe'
            - '\Autologon64a.exe'
            - '\Autoruns64a.exe'
            - '\autorunsc64a.exe'
            - '\Clockres64a.exe'
            - '\Contig64a.exe'
            - '\Coreinfo64a.exe'
            - '\Dbgview64a.exe'
            - '\disk2vhd64a.exe'
            - '\diskext64a.exe'
            - '\DiskView64a.exe'
            - '\du64a.exe'
            - '\FindLinks64a.exe'
            - '\handle64a.exe'
            - '\hex2dec64a.exe'
            - '\junction64a.exe'
            - '\LoadOrd64a.exe'
            - '\LoadOrdC64a.exe'
            - '\logonsessions64a.exe'
            - '\movefile64a.exe'
            - '\notmyfault64a.exe'
            - '\notmyfaultc64a.exe'
            - '\pendmoves64a.exe'
            - '\pipelist64a.exe'
            - '\procdump64a.exe'
            - '\procexp64a.exe'
            - '\Procmon64a.exe'
            - '\PsExec64a.exe'
            - '\psfile64a.exe'
            - '\PsGetsid64a.exe'
            - '\PsInfo64a.exe'
            - '\pskill64a.exe'
            - '\psloglist64a.exe'
            - '\pspasswd64a.exe'
            - '\psping64a.exe'
            - '\PsService64a.exe'
            - '\pssuspend64a.exe'
            - '\RAMMap64a.exe'
            - '\RegDelNull64a.exe'
            - '\ru64a.exe'
            - '\sdelete64a.exe'
            - '\sigcheck64a.exe'
            - '\streams64a.exe'
            - '\strings64a.exe'
            - '\sync64a.exe'
            - '\Sysmon64a.exe'
            - '\tcpvcon64a.exe'
            - '\tcpview64a.exe'
            - '\vmmap64a.exe'
            - '\whois64a.exe'
            - '\Winobj64a.exe'
            - '\ZoomIt64a.exe'
    filter_valid:
        - Company:
              - 'Sysinternals - www.sysinternals.com'
              - 'Sysinternals'
        - Product|startswith: 'Sysinternals'
    filter_empty:
        - Company: null
        - Product: null
    condition: 1 of selection_* and not 1 of filter_*
falsepositives:
    - Unknown
level: medium

medium

Suspicious Files in Default GPO Folder

Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder

status test author elhoim id 5f87308a-0a5b-4623-ae15-d8fa1809bc60

view Sigma YAML

title: Suspicious Files in Default GPO Folder
id: 5f87308a-0a5b-4623-ae15-d8fa1809bc60
status: test
description: Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder
references:
    - https://redcanary.com/blog/intelligence-insights-november-2021/
author: elhoim
date: 2022-04-28
tags:
    - attack.stealth
    - attack.t1036.005
logsource:
    product: windows
    category: file_event
detection:
    selection:
        TargetFilename|contains: '\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\'
        TargetFilename|endswith:
            - '.dll'
            - '.exe'
    condition: selection
falsepositives:
    - Unknown
level: medium

medium

Suspicious Scheduled Task Creation via Masqueraded XML File

Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence

status test author Swachchhanda Shrawan Poudel, Elastic (idea) id dd2a821e-3b07-4d3b-a9ac-929fe4c6ca0c

view Sigma YAML

title: Suspicious Scheduled Task Creation via Masqueraded XML File
id: dd2a821e-3b07-4d3b-a9ac-929fe4c6ca0c
status: test
description: Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence
references:
    - https://learn.microsoft.com/en-us/windows/win32/taskschd/daily-trigger-example--xml-
    - https://github.com/elastic/protections-artifacts/blob/084067123d3328a823b1c3fdde305b694275c794/behavior/rules/persistence_suspicious_scheduled_task_creation_via_masqueraded_xml_file.toml
author: Swachchhanda Shrawan Poudel, Elastic (idea)
date: 2023-04-20
modified: 2024-12-01
tags:
    - attack.privilege-escalation
    - attack.execution
    - attack.persistence
    - attack.stealth
    - attack.t1036.005
    - attack.t1053.005
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\schtasks.exe'
        - OriginalFileName: 'schtasks.exe'
    selection_cli_create:
        CommandLine|contains:
            - '/create'
            - '-create'
    selection_cli_xml:
        CommandLine|contains:
            - '/xml'
            - '-xml'
    filter_main_extension_xml:
        CommandLine|contains: '.xml'
    filter_main_system_process:
        IntegrityLevel:
            - 'System'
            - 'S-1-16-16384'
    filter_main_rundll32:
        ParentImage|endswith: '\rundll32.exe'
        ParentCommandLine|contains|all:
            - ':\WINDOWS\Installer\MSI'
            - '.tmp,zzzzInvokeManagedCustomActionOutOfProc'
    filter_optional_third_party:
        ParentImage|endswith:
            # Consider removing any tools that you don't use to avoid blind spots
            - ':\ProgramData\OEM\UpgradeTool\CareCenter_*\BUnzip\Setup_msi.exe'
            - ':\Program Files\Axis Communications\AXIS Camera Station\SetupActions.exe'
            - ':\Program Files\Axis Communications\AXIS Device Manager\AdmSetupActions.exe'
            - ':\Program Files (x86)\Zemana\AntiMalware\AntiMalware.exe'
            - ':\Program Files\Dell\SupportAssist\pcdrcui.exe'
    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium

medium

Uncommon Svchost Parent Process

Detects an uncommon svchost parent process

status test author Florian Roth (Nextron Systems) id 01d2e2a1-5f09-44f7-9fc1-24faa7479b6d

view Sigma YAML

title: Uncommon Svchost Parent Process
id: 01d2e2a1-5f09-44f7-9fc1-24faa7479b6d
status: test
description: Detects an uncommon svchost parent process
references:
    - Internal Research
author: Florian Roth (Nextron Systems)
date: 2017-08-15
modified: 2022-06-28
tags:
    - attack.stealth
    - attack.t1036.005
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\svchost.exe'
    filter_main_generic:
        ParentImage|endswith:
            - '\Mrt.exe'
            - '\MsMpEng.exe'
            - '\ngen.exe'
            - '\rpcnet.exe'
            - '\services.exe'
            - '\TiWorker.exe'
    filter_main_parent_null:
        ParentImage: null
    filter_main_parent_empty:
        ParentImage:
            - '-'
            - ''
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

medium

Unsigned .node File Loaded

Detects the loading of unsigned .node files. Adversaries may abuse a lack of .node integrity checking to execute arbitrary code inside of trusted applications such as Slack. .node files are native add-ons for Electron-based applications, which are commonly used for desktop applications like Slack, Discord, and Visual Studio Code. This technique has been observed in the DripLoader malware, which uses unsigned .node files to load malicious native code into Electron applications.

status experimental author Jonathan Beierle (@hullabrian) id e5f5c693-52d7-4de5-88ae-afbfbce85595

view Sigma YAML

title: Unsigned .node File Loaded
id: e5f5c693-52d7-4de5-88ae-afbfbce85595
status: experimental
description: |
    Detects the loading of unsigned .node files.
    Adversaries may abuse a lack of .node integrity checking to execute arbitrary code inside of trusted applications such as Slack.
    .node files are native add-ons for Electron-based applications, which are commonly used for desktop applications like Slack, Discord, and Visual Studio Code.
    This technique has been observed in the DripLoader malware, which uses unsigned .node files to load malicious native code into Electron applications.
references:
    - https://www.coreycburton.com/blog/driploader-case-study
    - https://github.com/CoreyCBurton/DripLoaderNG
    - https://www.electronjs.org/docs/latest/tutorial/native-code-and-electron
author: Jonathan Beierle (@hullabrian)
date: 2025-11-22
tags:
    - attack.execution
    - attack.privilege-escalation
    - attack.persistence
    - attack.stealth
    - attack.t1129
    - attack.t1574.001
    - attack.t1036.005
logsource:
    category: image_load
    product: windows
detection:
    selection_node_extension:
        ImageLoaded|endswith: '.node'
    selection_status:
        - Signed: 'false'
        - SignatureStatus: 'Unavailable'
    filter_optional_vscode_jupyter:
        Image|endswith: '\Code.exe'
        ImageLoaded|contains: '.vscode\extensions\ms-toolsai.jupyter-'
        ImageLoaded|endswith:
            - '\electron.napi.node'
            - '\node.napi.glibc.node'
    condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
    - VsCode extensions or similar legitimate tools might use unsigned .node files. These should be investigated on a case-by-case basis, and whitelisted if determined to be benign.
level: medium

low

Windows Processes Suspicious Parent Directory

Detect suspicious parent processes of well-known Windows processes

status test author vburov id 96036718-71cc-4027-a538-d1587e0006a7

view Sigma YAML

title: Windows Processes Suspicious Parent Directory
id: 96036718-71cc-4027-a538-d1587e0006a7
status: test
description: Detect suspicious parent processes of well-known Windows processes
references:
    - https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2
    - https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/
    - https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf
author: vburov
date: 2019-02-23
modified: 2025-03-06
tags:
    - attack.stealth
    - attack.t1036.003
    - attack.t1036.005
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\svchost.exe'
            - '\taskhost.exe'
            - '\lsm.exe'
            - '\lsass.exe'
            - '\services.exe'
            - '\lsaiso.exe'
            - '\csrss.exe'
            - '\wininit.exe'
            - '\winlogon.exe'
    filter_sys:
        - ParentImage|endswith:
              - '\SavService.exe'
              - '\ngen.exe'
        - ParentImage|contains:
              - '\System32\'
              - '\SysWOW64\'
    filter_msmpeng:
        ParentImage|contains:
            - '\Windows Defender\'
            - '\Microsoft Security Client\'
        ParentImage|endswith: '\MsMpEng.exe'
    filter_null:
        - ParentImage: null
        - ParentImage:
              - ''
              - '-'
    condition: selection and not 1 of filter_*
falsepositives:
    - Some security products seem to spawn these
level: low

Showing 1-14 of 14

Prev 1 Next

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin