Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.
status testauthor Sreeman, Nasreddine Bencherchali (Nextron Systems)id 21dd6d38-2b18-4453-9404-a0fe4a0cc288
view Sigma YAML
title: Curl Download And Execute Combination
id: 21dd6d38-2b18-4453-9404-a0fe4a0cc288
status: test
description: Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.
references:
- https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983 # Dead Link
author: Sreeman, Nasreddine Bencherchali (Nextron Systems)
date: 2020-01-13
modified: 2024-03-05
tags:
- attack.stealth
- attack.t1218
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|windash: ' -c '
CommandLine|contains|all:
- 'curl '
- 'http'
- '-o'
- '&'
condition: selection
falsepositives:
- Unknown
level: high
high
File Download And Execution Via IEExec.EXE
Detects execution of the IEExec utility to download and execute files
status testauthor Nasreddine Bencherchali (Nextron Systems)id 9801abb8-e297-4dbf-9fbd-57dde0e830ad
view Sigma YAML
title: File Download And Execution Via IEExec.EXE
id: 9801abb8-e297-4dbf-9fbd-57dde0e830ad
status: test
description: Detects execution of the IEExec utility to download and execute files
references:
- https://lolbas-project.github.io/lolbas/Binaries/Ieexec/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-05-16
modified: 2023-11-09
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\IEExec.exe'
- OriginalFileName: 'IEExec.exe'
selection_cli:
CommandLine|contains:
- 'http://'
- 'https://'
condition: all of selection_*
falsepositives:
- Unknown
level: high
high
File Download From IP Based URL Via CertOC.EXE
Detects when a user downloads a file from an IP based URL using CertOC.exe
status testauthor Nasreddine Bencherchali (Nextron Systems)id b86f6dea-0b2f-41f5-bdcc-a057bd19cd6a
view Sigma YAML
title: File Download From IP Based URL Via CertOC.EXE
id: b86f6dea-0b2f-41f5-bdcc-a057bd19cd6a
related:
- id: 70ad0861-d1fe-491c-a45f-fa48148a300d
type: similar
status: test
description: Detects when a user downloads a file from an IP based URL using CertOC.exe
references:
- https://lolbas-project.github.io/lolbas/Binaries/Certoc/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-10-18
tags:
- attack.command-and-control
- attack.execution
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\certoc.exe'
- OriginalFileName: 'CertOC.exe'
selection_ip:
CommandLine|re: '://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
selection_cli:
CommandLine|contains: '-GetCACAPS'
condition: all of selection*
falsepositives:
- Unknown
level: high
high
File Download Using Notepad++ GUP Utility
Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.
status testauthor Nasreddine Bencherchali (Nextron Systems)id 44143844-0631-49ab-97a0-96387d6b2d7c
view Sigma YAML
title: File Download Using Notepad++ GUP Utility
id: 44143844-0631-49ab-97a0-96387d6b2d7c
status: test
description: Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.
references:
- https://twitter.com/nas_bench/status/1535322182863179776
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-10
modified: 2023-03-02
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\GUP.exe'
- OriginalFileName: 'gup.exe'
selection_cli:
CommandLine|contains|all:
- ' -unzipTo '
- 'http'
filter:
ParentImage|endswith: '\notepad++.exe'
condition: all of selection* and not filter
falsepositives:
- Other parent processes other than notepad++ using GUP that are not currently identified
level: high
high
File Download Via Bitsadmin To A Suspicious Target Folder
Detects usage of bitsadmin downloading a file to a suspicious target folder
Detects execution of the "finger.exe" utility.
Finger.EXE or "TCPIP Finger Command" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon.
Due to the old nature of this utility and the rareness of machines having the finger service. Any execution of "finger.exe" can be considered "suspicious" and worth investigating.
status testauthor Florian Roth (Nextron Systems), omkar72, oscd.communityid af491bca-e752-4b44-9c86-df5680533dbc
view Sigma YAML
title: Finger.EXE Execution
id: af491bca-e752-4b44-9c86-df5680533dbc
related:
- id: c082c2b0-525b-4dbc-9a26-a57dc4692074
type: similar
- id: 2fdaf50b-9fd5-449f-ba69-f17248119af6
type: similar
status: test
description: |
Detects execution of the "finger.exe" utility.
Finger.EXE or "TCPIP Finger Command" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon.
Due to the old nature of this utility and the rareness of machines having the finger service. Any execution of "finger.exe" can be considered "suspicious" and worth investigating.
references:
- https://twitter.com/bigmacjpg/status/1349727699863011328?s=12
- https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/
- http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt
author: Florian Roth (Nextron Systems), omkar72, oscd.community
date: 2021-02-24
modified: 2024-06-27
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection:
- OriginalFileName: 'finger.exe'
- Image|endswith: '\finger.exe'
condition: selection
falsepositives:
- Admin activity (unclear what they do nowadays with finger.exe)
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_finger_execution/info.yml
high
Legitimate Application Writing Files In Uncommon Location
Detects legitimate applications writing any type of file to uncommon or suspicious locations that are not typical for application data storage or execution.
Adversaries may leverage legitimate applications (Living off the Land Binaries - LOLBins) to drop or download malicious files to uncommon locations on the system to evade detection by security solutions.
status experimentalauthor Swachchhanda Shrawan Poudel (Nextron Systems)id 1cf465a1-2609-4c15-9b66-c32dbe4bfd67
view Sigma YAML
title: Legitimate Application Writing Files In Uncommon Location
id: 1cf465a1-2609-4c15-9b66-c32dbe4bfd67
related:
- id: 2ddef153-167b-4e89-86b6-757a9e65dcac # bitsadmin dedicated rule
type: similar
status: experimental
description: |
Detects legitimate applications writing any type of file to uncommon or suspicious locations that are not typical for application data storage or execution.
Adversaries may leverage legitimate applications (Living off the Land Binaries - LOLBins) to drop or download malicious files to uncommon locations on the system to evade detection by security solutions.
references:
- https://lolbas-project.github.io/#/download
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-12-10
tags:
- attack.stealth
- attack.t1218
- attack.command-and-control
- attack.t1105
logsource:
product: windows
category: file_event
detection:
selection_img:
Image|endswith:
# Microsoft Office Programs Dropping Executables / Rest of the apps are covered in: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
- '\eqnedt32.exe'
- '\wordpad.exe'
- '\wordview.exe'
# LOLBINs that can be used to download executables
- '\cmdl32.exe'
- '\certutil.exe'
- '\certoc.exe'
- '\CertReq.exe'
- '\bitsadmin.exe'
- '\Desktopimgdownldr.exe'
- '\esentutl.exe'
- '\expand.exe'
- '\extrac32.exe'
- '\replace.exe'
- '\mshta.exe'
- '\ftp.exe'
- '\Ldifde.exe'
- '\RdrCEF.exe'
- '\hh.exe'
- '\finger.exe'
- '\findstr.exe'
selection_locations:
TargetFilename|contains:
- ':\Perflogs'
- ':\ProgramData\'
- ':\Temp\'
- ':\Users\Public\'
- ':\Windows\'
- '\$Recycle.Bin\'
- '\AppData\Local\'
- '\AppData\Roaming\'
- '\Contacts\'
- '\Desktop\'
- '\Favorites\'
- '\Favourites\'
- '\inetpub\wwwroot\'
- '\Music\'
- '\Pictures\'
- '\Start Menu\Programs\Startup\'
- '\Users\Default\'
- '\Videos\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_in_uncommon_location/info.yml
Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any
anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json
status testauthor frack113id 3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d
view Sigma YAML
title: Lolbas OneDriveStandaloneUpdater.exe Proxy Download
id: 3aff0be0-7802-4a7e-a4fa-c60c74bc5e1d
status: test
description: |
Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any
anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json
references:
- https://lolbas-project.github.io/lolbas/Binaries/OneDriveStandaloneUpdater/
author: frack113
date: 2022-05-28
modified: 2023-08-17
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\SOFTWARE\Microsoft\OneDrive\UpdateOfficeConfig\UpdateRingSettingURLFromOC'
condition: selection
falsepositives:
- Unknown
level: high
high
Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder
Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains.
title: Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder
id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
related:
- id: 635dbb88-67b3-4b41-9ea5-a3af2dd88153
type: obsolete
status: test
description: Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains.
references:
- https://twitter.com/M_haggis/status/900741347035889665
- https://twitter.com/M_haggis/status/1032799638213066752
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
- https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2018-08-30
modified: 2025-12-10
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: network_connection
product: windows
detection:
selection_paths:
Image|contains:
- ':\$Recycle.bin'
- ':\Perflogs\'
- ':\Temp\'
- ':\Users\Default\'
- ':\Users\Public\'
- ':\Windows\Fonts\'
- ':\Windows\IME\'
- ':\Windows\System32\Tasks\'
- ':\Windows\Tasks\'
- ':\Windows\Temp\'
- '\AppData\Temp\'
- '\config\systemprofile\'
- '\Windows\addins\'
selection_domains:
Initiated: 'true'
DestinationHostname|endswith:
- '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea)
- 'anonfiles.com'
- 'cdn.discordapp.com'
- 'ddns.net'
- 'dl.dropboxusercontent.com'
- 'ghostbin.co'
- 'github.com'
- 'glitch.me'
- 'gofile.io'
- 'hastebin.com'
- 'mediafire.com'
- 'mega.co.nz'
- 'mega.nz'
- 'onrender.com'
- 'pages.dev'
- 'paste.ee'
- 'pastebin.com'
- 'pastebin.pl'
- 'pastetext.net'
- 'pixeldrain.com'
- 'privatlab.com'
- 'privatlab.net'
- 'send.exploit.in'
- 'sendspace.com'
- 'storage.googleapis.com'
- 'storjshare.io'
- 'supabase.co'
- 'temp.sh'
- 'transfer.sh'
- 'trycloudflare.com'
- 'ufile.io'
- 'w3spaces.com'
- 'workers.dev'
condition: all of selection_*
falsepositives:
- Some installers located in the temp directory might communicate with the Github domains in order to download additional software. Baseline these cases or move the github domain to a lower level hunting rule.
level: high
high
Network Connection Initiated By IMEWDBLD.EXE
Detects a network connection initiated by IMEWDBLD.EXE. This might indicate potential abuse of the utility as a LOLBIN in order to download arbitrary files or additional payloads.
status testauthor frack113id 8d7e392e-9b28-49e1-831d-5949c6281228
view Sigma YAML
title: Network Connection Initiated By IMEWDBLD.EXE
id: 8d7e392e-9b28-49e1-831d-5949c6281228
related:
- id: 863218bd-c7d0-4c52-80cd-0a96c09f54af
type: derived
status: test
description: |
Detects a network connection initiated by IMEWDBLD.EXE. This might indicate potential abuse of the utility as a LOLBIN in order to download arbitrary files or additional payloads.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download
- https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/
author: frack113
date: 2022-01-22
modified: 2023-11-09
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
Image|endswith: '\IMEWDBLD.exe'
condition: selection
falsepositives:
- Unknown
# Note: Please reduce this to medium if you find legitimate connections
level: high
high
Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location
Detects a network connection initiated by programs or processes running from suspicious or uncommon files system locations.
title: Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location
id: 7b434893-c57d-4f41-908d-6a17bf1ae98f
status: test
description: |
Detects a network connection initiated by programs or processes running from suspicious or uncommon files system locations.
references:
- https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2017-03-19
modified: 2025-12-10
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
Image|contains:
- ':\$Recycle.bin'
- ':\Perflogs\'
- ':\Temp\'
- ':\Users\Default\'
- ':\Users\Public\'
- ':\Windows\Fonts\'
- ':\Windows\IME\'
- ':\Windows\System32\Tasks\'
- ':\Windows\Tasks\'
- '\config\systemprofile\'
- '\Contacts\'
- '\Favorites\'
- '\Favourites\'
- '\Music\'
- '\Pictures\'
- '\Videos\'
- '\Windows\addins\'
filter_main_domains:
# Note: We exclude these domains to avoid duplicate filtering from e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97
DestinationHostname|endswith:
- '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea)
- 'anonfiles.com'
- 'cdn.discordapp.com'
- 'ddns.net'
- 'dl.dropboxusercontent.com'
- 'ghostbin.co'
- 'github.com'
- 'glitch.me'
- 'gofile.io'
- 'hastebin.com'
- 'mediafire.com'
- 'mega.co.nz'
- 'mega.nz'
- 'onrender.com'
- 'pages.dev'
- 'paste.ee'
- 'pastebin.com'
- 'pastebin.pl'
- 'pastetext.net'
- 'portmap.io' # https://pro.twitter.com/JaromirHorejsi/status/1795001037746761892/photo/2
- 'privatlab.com'
- 'privatlab.net'
- 'send.exploit.in'
- 'sendspace.com'
- 'storage.googleapis.com'
- 'storjshare.io'
- 'supabase.co'
- 'temp.sh'
- 'transfer.sh'
- 'trycloudflare.com'
- 'ufile.io'
- 'w3spaces.com'
- 'workers.dev'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
high
Outbound Network Connection Initiated By Script Interpreter
Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.
status testauthor frack113, Florian Roth (Nextron Systems)id 992a6cae-db6a-43c8-9cec-76d7195c96fc
view Sigma YAML
title: Outbound Network Connection Initiated By Script Interpreter
id: 992a6cae-db6a-43c8-9cec-76d7195c96fc
related:
- id: 08249dc0-a28d-4555-8ba5-9255a198e08c
type: derived
status: test
description: Detects a script interpreter wscript/cscript opening a network connection to a non-local network. Adversaries may use script to download malicious payloads.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md
author: frack113, Florian Roth (Nextron Systems)
date: 2022-08-28
modified: 2024-03-13
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
Image|endswith:
- '\wscript.exe'
- '\cscript.exe'
filter_main_local_ranges:
DestinationIp|cidr:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
filter_main_ms_ranges:
DestinationIp|cidr: '20.0.0.0/11' # Microsoft range, caused some FPs
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate scripts
level: high
high
PUA - Nimgrab Execution
Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.
status testauthor frack113id 74a12f18-505c-4114-8d0b-8448dd5485c6
view Sigma YAML
title: PUA - Nimgrab Execution
id: 74a12f18-505c-4114-8d0b-8448dd5485c6
status: test
description: Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md
author: frack113
date: 2022-08-28
modified: 2024-11-23
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_name:
Image|endswith: '\nimgrab.exe'
selection_hashes:
Hashes|contains:
- MD5=2DD44C3C29D667F5C0EF5F9D7C7FFB8B
- SHA256=F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559
- IMPHASH=C07FDDD21D123EA9B3A08EEF44AAAC45
condition: 1 of selection_*
falsepositives:
- Legitimate use of Nim on a developer systems
level: high
high
Password Protected ZIP File Opened (Suspicious Filenames)
Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.
status testauthor Florian Roth (Nextron Systems)id 54f0434b-726f-48a1-b2aa-067df14516e4
view Sigma YAML
title: Password Protected ZIP File Opened (Suspicious Filenames)
id: 54f0434b-726f-48a1-b2aa-067df14516e4
status: test
description: Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.
references:
- https://twitter.com/sbousseaden/status/1523383197513379841
author: Florian Roth (Nextron Systems)
date: 2022-05-09
tags:
- attack.command-and-control
- attack.stealth
- attack.t1027
- attack.t1105
- attack.t1036
logsource:
product: windows
service: security
detection:
selection:
EventID: 5379
TargetName|contains: 'Microsoft_Windows_Shell_ZipFolder:filename'
selection_filename:
TargetName|contains:
- 'invoice'
- 'new order'
- 'rechnung'
- 'factura'
- 'delivery'
- 'purchase'
- 'order'
- 'payment'
condition: selection and selection_filename
falsepositives:
- Legitimate used of encrypted ZIP files
level: high
high
PrintBrm ZIP Creation of Extraction
Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.
status testauthor frack113id cafeeba3-01da-4ab4-b6c4-a31b1d9730c7
view Sigma YAML
title: PrintBrm ZIP Creation of Extraction
id: cafeeba3-01da-4ab4-b6c4-a31b1d9730c7
status: test
description: Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.
references:
- https://lolbas-project.github.io/lolbas/Binaries/PrintBrm/
author: frack113
date: 2022-05-02
tags:
- attack.command-and-control
- attack.stealth
- attack.t1105
- attack.t1564.004
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\PrintBrm.exe'
CommandLine|contains|all:
- ' -f'
- '.zip'
condition: selection
falsepositives:
- Unknown
level: high
high
Suspicious CertReq Command to Download
Detects a suspicious CertReq execution downloading a file.
This behavior is often used by attackers to download additional payloads or configuration files.
Certreq is a built-in Windows utility used to request and retrieve certificates from a certification authority (CA). However, it can be abused by threat actors for malicious purposes.
status experimentalauthor Christian Burkard (Nextron Systems)id 4480827a-9799-4232-b2c4-ccc6c4e9e12b
view Sigma YAML
title: Suspicious CertReq Command to Download
id: 4480827a-9799-4232-b2c4-ccc6c4e9e12b
status: experimental
description: |
Detects a suspicious CertReq execution downloading a file.
This behavior is often used by attackers to download additional payloads or configuration files.
Certreq is a built-in Windows utility used to request and retrieve certificates from a certification authority (CA). However, it can be abused by threat actors for malicious purposes.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Certreq/
author: Christian Burkard (Nextron Systems)
date: 2021-11-24
modified: 2025-10-29
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\certreq.exe'
- OriginalFileName: 'CertReq.exe'
selection_cli_flag_post:
CommandLine|contains|windash: '-Post'
selection_cli_flag_config:
CommandLine|contains|windash: '-config'
selection_cli_http:
CommandLine|contains: 'http'
condition: all of selection_*
falsepositives:
- Unlikely
level: high
high
Suspicious Curl.EXE Download
Detects a suspicious curl process start on Windows and outputs the requested document to a local file
title: Suspicious Curl.EXE Download
id: e218595b-bbe7-4ee5-8a96-f32a24ad3468
related:
- id: bbeaed61-1990-4773-bf57-b81dbad7db2d # Basic curl execution
type: derived
- id: 9a517fca-4ba3-4629-9278-a68694697b81 # Curl download
type: similar
status: test
description: Detects a suspicious curl process start on Windows and outputs the requested document to a local file
references:
- https://twitter.com/max_mal_/status/1542461200797163522
- https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464
- https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt
- https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/
- https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1105/T1105.md#atomic-test-18---curl-download-file
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2020-07-03
modified: 2023-02-21
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_curl:
- Image|endswith: '\curl.exe'
- Product: 'The curl executable'
selection_susp_locations:
CommandLine|contains:
- '%AppData%'
- '%Public%'
- '%Temp%'
- '%tmp%'
- '\AppData\'
- '\Desktop\'
- '\Temp\'
- '\Users\Public\'
- 'C:\PerfLogs\'
- 'C:\ProgramData\'
- 'C:\Windows\Temp\'
selection_susp_extensions:
CommandLine|endswith:
- '.dll'
- '.gif'
- '.jpeg'
- '.jpg'
- '.png'
- '.temp'
- '.tmp'
- '.txt'
- '.vbe'
- '.vbs'
filter_optional_git_windows:
# Example FP
# CommandLine: "C:\Program Files\Git\mingw64\bin\curl.exe" --silent --show-error --output C:/Users/test/AppData/Local/Temp/gfw-httpget-jVOEoxbS.txt --write-out %{http_code} https://gitforwindows.org/latest-tag.txt
ParentImage: 'C:\Program Files\Git\usr\bin\sh.exe'
Image: 'C:\Program Files\Git\mingw64\bin\curl.exe'
CommandLine|contains|all:
- '--silent --show-error --output '
- 'gfw-httpget-'
- 'AppData'
condition: selection_curl and 1 of selection_susp_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_susp_download/info.yml
simulation:
- type: atomic-red-team
name: Curl Download File
technique: T1105
atomic_guid: 2b080b99-0deb-4d51-af0f-833d37c4ca6a
high
Suspicious Desktopimgdownldr Command
Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet
status testauthor Florian Roth (Nextron Systems)id bb58aa4a-b80b-415a-a2c0-2f65a4c81009
view Sigma YAML
title: Suspicious Desktopimgdownldr Command
id: bb58aa4a-b80b-415a-a2c0-2f65a4c81009
status: test
description: Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet
references:
- https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/
- https://twitter.com/SBousseaden/status/1278977301745741825
author: Florian Roth (Nextron Systems)
date: 2020-07-03
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains: ' /lockscreenurl:'
selection1_filter:
CommandLine|contains:
- '.jpg'
- '.jpeg'
- '.png'
selection_reg:
CommandLine|contains|all:
- 'reg delete'
- '\PersonalizationCSP'
condition: ( selection1 and not selection1_filter ) or selection_reg
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: high
high
Suspicious Desktopimgdownldr Target File
Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension
status testauthor Florian Roth (Nextron Systems)id fc4f4817-0c53-4683-a4ee-b17a64bc1039
view Sigma YAML
title: Suspicious Desktopimgdownldr Target File
id: fc4f4817-0c53-4683-a4ee-b17a64bc1039
status: test
description: Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension
references:
- https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/
- https://twitter.com/SBousseaden/status/1278977301745741825
author: Florian Roth (Nextron Systems)
date: 2020-07-03
modified: 2022-06-02
tags:
- attack.command-and-control
- attack.t1105
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '\svchost.exe'
TargetFilename|contains: '\Personalization\LockScreenImage\'
filter1:
TargetFilename|contains: 'C:\Windows\'
filter2:
TargetFilename|contains:
- '.jpg'
- '.jpeg'
- '.png'
condition: selection and not filter1 and not filter2
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: high
high
Suspicious Download From File-Sharing Website Via Bitsadmin
Detects usage of bitsadmin downloading a file from a suspicious domain
status testauthor Florian Roth (Nextron Systems)id 8518ed3d-f7c9-4601-a26c-f361a4256a0c
title: Suspicious Download from Office Domain
id: 00d49ed5-4491-4271-a8db-650a4ef6f8c1
status: test
description: Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents
references:
- https://twitter.com/an0n_r0/status/1474698356635193346?s=12
- https://twitter.com/mrd0x/status/1475085452784844803?s=12
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-27
modified: 2022-08-02
tags:
- attack.command-and-control
- attack.resource-development
- attack.t1105
- attack.t1608
logsource:
product: windows
category: process_creation
detection:
selection_download:
- Image|endswith:
- '\curl.exe'
- '\wget.exe'
- CommandLine|contains:
- 'Invoke-WebRequest'
- 'iwr '
- 'curl '
- 'wget '
- 'Start-BitsTransfer'
- '.DownloadFile('
- '.DownloadString('
selection_domains:
CommandLine|contains:
- 'https://attachment.outlook.live.net/owa/'
- 'https://onenoteonlinesync.onenote.com/onenoteonlinesync/'
condition: all of selection_*
falsepositives:
- Scripts or tools that download attachments from these domains (OneNote, Outlook 365)
level: high
high
Suspicious Dropbox API Usage
Detects an executable that isn't dropbox but communicates with the Dropbox API
status testauthor Florian Roth (Nextron Systems)id 25eabf56-22f0-4915-a1ed-056b8dae0a68
view Sigma YAML
title: Suspicious Dropbox API Usage
id: 25eabf56-22f0-4915-a1ed-056b8dae0a68
status: test
description: Detects an executable that isn't dropbox but communicates with the Dropbox API
references:
- https://app.any.run/tasks/7e906adc-9d11-447f-8641-5f40375ecebb
- https://www.zscaler.com/blogs/security-research/new-espionage-attack-molerats-apt-targeting-users-middle-east
author: Florian Roth (Nextron Systems)
date: 2022-04-20
tags:
- attack.command-and-control
- attack.exfiltration
- attack.t1105
- attack.t1567.002
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
DestinationHostname|endswith:
- 'api.dropboxapi.com'
- 'content.dropboxapi.com'
filter_main_legit_dropbox:
# Note: It's better to add a specific path to the exact location(s) where dropbox is installed
Image|contains: '\Dropbox'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate use of the API with a tool that the author wasn't aware of
level: high
high
Suspicious File Created by ArcSOC.exe
Detects instances where the ArcGIS Server process ArcSOC.exe, which hosts REST services running on an ArcGIS
server, creates a file with suspicious file type, indicating that it may be an executable, script file,
or otherwise unusual.
status experimentalauthor Micah Babinskiid e890acee-d488-420e-8f20-d9b19b3c3d43
view Sigma YAML
title: Suspicious File Created by ArcSOC.exe
id: e890acee-d488-420e-8f20-d9b19b3c3d43
status: experimental
description: |
Detects instances where the ArcGIS Server process ArcSOC.exe, which hosts REST services running on an ArcGIS
server, creates a file with suspicious file type, indicating that it may be an executable, script file,
or otherwise unusual.
references:
- https://reliaquest.com/blog/threat-spotlight-inside-flax-typhoons-arcgis-compromise/
- https://enterprise.arcgis.com/en/server/12.0/administer/windows/inside-an-arcgis-server-site.htm
author: Micah Babinski
date: 2025-11-25
tags:
- attack.command-and-control
- attack.persistence
- attack.initial-access
- attack.execution
- attack.stealth
- attack.t1127
- attack.t1105
- attack.t1133
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith: '\ArcSOC.exe'
TargetFilename|endswith:
- '.ahk'
- '.aspx'
- '.au3'
- '.bat'
- '.cmd'
- '.dll'
- '.exe'
- '.hta'
- '.js'
- '.ps1'
- '.py'
- '.vbe'
- '.vbs'
- '.wsf'
condition: selection
falsepositives:
- Unlikely
level: high
high
Suspicious File Downloaded From Direct IP Via Certutil.EXE
Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.
status testauthor Nasreddine Bencherchali (Nextron Systems)id 13e6fe51-d478-4c7e-b0f2-6da9b400a829
view Sigma YAML
title: Suspicious File Downloaded From Direct IP Via Certutil.EXE
id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829
related:
- id: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b # Direct IP download
type: similar
- id: 42a5f1e7-9603-4f6d-97ae-3f37d130d794 # File sharing download
type: similar
status: test
description: Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
- https://forensicitguy.github.io/agenttesla-vba-certutil-download/
- https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/
- https://twitter.com/egre55/status/1087685529016193025
- https://lolbas-project.github.io/lolbas/Binaries/Certutil/
- https://twitter.com/_JohnHammond/status/1708910264261980634
- https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-15
modified: 2025-12-01
tags:
- attack.stealth
- attack.t1027
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\certutil.exe'
- OriginalFileName: 'CertUtil.exe'
selection_flags:
CommandLine|contains:
- 'urlcache '
- 'verifyctl '
- 'URL '
selection_http:
CommandLine|contains:
- '://1'
- '://2'
- '://3'
- '://4'
- '://5'
- '://6'
- '://7'
- '://8'
- '://9'
# filter_local_ips:
# # Note: Uncomment this filter if you want to exclude local IPs
# CommandLine|contains:
# - '://10.' # 10.0.0.0/8
# - '://192.168.' # 192.168.0.0/16
# - '://172.16.' # 172.16.0.0/12
# - '://172.17.'
# - '://172.18.'
# - '://172.19.'
# - '://172.20.'
# - '://172.21.'
# - '://172.22.'
# - '://172.23.'
# - '://172.24.'
# - '://172.25.'
# - '://172.26.'
# - '://172.27.'
# - '://172.28.'
# - '://172.29.'
# - '://172.30.'
# - '://172.31.'
# - '://127.' # 127.0.0.0/8
# - '://169.254.' # 169.254.0.0/16
filter_main_seven_zip:
CommandLine|contains: '://7-' # For https://7-zip.org/
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip/info.yml
high
Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE
Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.
status testauthor Nasreddine Bencherchali (Nextron Systems)id 42a5f1e7-9603-4f6d-97ae-3f37d130d794
view Sigma YAML
title: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE
id: 42a5f1e7-9603-4f6d-97ae-3f37d130d794
related:
- id: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b # Direct IP download
type: similar
- id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829 # Generic download
type: similar
status: test
description: Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
- https://forensicitguy.github.io/agenttesla-vba-certutil-download/
- https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/
- https://twitter.com/egre55/status/1087685529016193025
- https://lolbas-project.github.io/lolbas/Binaries/Certutil/
- https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
- https://www.hexacorn.com/blog/2020/08/23/certutil-one-more-gui-lolbin
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-15
modified: 2025-12-10
tags:
- attack.stealth
- attack.t1027
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\certutil.exe'
- OriginalFileName: 'CertUtil.exe'
selection_flags:
CommandLine|contains:
- 'urlcache '
- 'verifyctl '
- 'URL '
selection_http:
CommandLine|contains:
- '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea)
- 'anonfiles.com'
- 'cdn.discordapp.com'
- 'ddns.net'
- 'dl.dropboxusercontent.com'
- 'ghostbin.co'
- 'github.com'
- 'glitch.me'
- 'gofile.io'
- 'hastebin.com'
- 'mediafire.com'
- 'mega.nz'
- 'onrender.com'
- 'pages.dev'
- 'paste.ee'
- 'pastebin.com'
- 'pastebin.pl'
- 'pastetext.net'
- 'privatlab.com'
- 'privatlab.net'
- 'send.exploit.in'
- 'sendspace.com'
- 'storage.googleapis.com'
- 'storjshare.io'
- 'supabase.co'
- 'temp.sh'
- 'transfer.sh'
- 'trycloudflare.com'
- 'ufile.io'
- 'w3spaces.com'
- 'workers.dev'
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains/info.yml
high
Suspicious Invoke-WebRequest Execution
Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location
status testauthor Nasreddine Bencherchali (Nextron Systems)id 5e3cc4d8-3e68-43db-8656-eaaeefdec9cc
view Sigma YAML
title: Suspicious Invoke-WebRequest Execution
id: 5e3cc4d8-3e68-43db-8656-eaaeefdec9cc
related:
- id: e218595b-bbe7-4ee5-8a96-f32a24ad3468
type: derived
status: test
description: Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location
references:
- https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-02
modified: 2025-07-18
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'powershell_ise.EXE'
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_commands:
CommandLine|contains:
# These are all aliases of Invoke-WebRequest
- 'curl '
- 'Invoke-WebRequest'
- 'iwr '
- 'wget '
selection_flags:
CommandLine|contains:
- ' -ur'
- ' -o'
selection_susp_locations:
CommandLine|contains:
- '\AppData\'
- '\Desktop\'
- '\Temp\'
- '\Users\Public\'
- '%AppData%'
- '%Public%'
- '%Temp%'
- '%tmp%'
- ':\Windows\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
high
Uncommon Network Connection Initiated By Certutil.EXE
Detects a network connection initiated by the certutil.exe utility.
Attackers can abuse the utility in order to download malware or additional payloads.
status testauthor frack113, Florian Roth (Nextron Systems)id 0dba975d-a193-4ed1-a067-424df57570d1
view Sigma YAML
title: Uncommon Network Connection Initiated By Certutil.EXE
id: 0dba975d-a193-4ed1-a067-424df57570d1
status: test
description: |
Detects a network connection initiated by the certutil.exe utility.
Attackers can abuse the utility in order to download malware or additional payloads.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
author: frack113, Florian Roth (Nextron Systems)
date: 2022-09-02
modified: 2024-05-31
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: network_connection
product: windows
detection:
selection:
Image|endswith: '\certutil.exe'
Initiated: 'true'
DestinationPort:
- 80
- 135
- 443
- 445
condition: selection
falsepositives:
- Unknown
level: high
medium
AppX Package Installation Attempts Via AppInstaller.EXE
Detects DNS queries made by "AppInstaller.EXE". The AppInstaller is the default handler for the "ms-appinstaller" URI. It attempts to load/install a package from the referenced URL
status testauthor frack113id 7cff77e1-9663-46a3-8260-17f2e1aa9d0a
view Sigma YAML
title: AppX Package Installation Attempts Via AppInstaller.EXE
id: 7cff77e1-9663-46a3-8260-17f2e1aa9d0a
related:
- id: 180c7c5c-d64b-4a63-86e9-68910451bc8b
type: derived
status: test
description: |
Detects DNS queries made by "AppInstaller.EXE". The AppInstaller is the default handler for the "ms-appinstaller" URI. It attempts to load/install a package from the referenced URL
references:
- https://twitter.com/notwhickey/status/1333900137232523264
- https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/
author: frack113
date: 2021-11-24
modified: 2023-11-09
tags:
- attack.command-and-control
- attack.t1105
logsource:
product: windows
category: dns_query
detection:
selection:
Image|startswith: 'C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_'
Image|endswith: '\AppInstaller.exe'
condition: selection
falsepositives:
- Unknown
level: medium
medium
Arbitrary File Download Via GfxDownloadWrapper.EXE
Detects execution of GfxDownloadWrapper.exe with a URL as an argument to download file.
status testauthor Victor Sergeev, oscd.communityid eee00933-a761-4cd0-be70-c42fe91731e7
view Sigma YAML
title: Arbitrary File Download Via GfxDownloadWrapper.EXE
id: eee00933-a761-4cd0-be70-c42fe91731e7
status: test
description: Detects execution of GfxDownloadWrapper.exe with a URL as an argument to download file.
references:
- https://lolbas-project.github.io/lolbas/HonorableMentions/GfxDownloadWrapper/
author: Victor Sergeev, oscd.community
date: 2020-10-09
modified: 2023-10-18
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\GfxDownloadWrapper.exe'
CommandLine|contains:
- 'http://'
- 'https://'
filter_main_known_urls:
CommandLine|contains: 'https://gameplayapi.intel.com/'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
medium
Command Line Execution with Suspicious URL and AppData Strings
Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)
status testauthor Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.communityid 1ac8666b-046f-4201-8aba-1951aaec03a3
view Sigma YAML
title: Command Line Execution with Suspicious URL and AppData Strings
id: 1ac8666b-046f-4201-8aba-1951aaec03a3
status: test
description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)
references:
- https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100
- https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
date: 2019-01-16
modified: 2021-11-27
tags:
- attack.execution
- attack.command-and-control
- attack.t1059.003
- attack.t1059.001
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\cmd.exe'
CommandLine|contains|all:
- 'http' # captures both http and https
- '://'
- '%AppData%'
condition: selection
falsepositives:
- High
level: medium
medium
Download File To Potentially Suspicious Directory Via Wget
Detects the use of wget to download content to a suspicious directory
status testauthor Joseliyo Sanchez, @Joseliyo_Jstnkid cf610c15-ed71-46e1-bdf8-2bd1a99de6c4
view Sigma YAML
title: Download File To Potentially Suspicious Directory Via Wget
id: cf610c15-ed71-46e1-bdf8-2bd1a99de6c4
status: test
description: Detects the use of wget to download content to a suspicious directory
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/wget'
selection_output:
- CommandLine|re: '\s-O\s' # We use regex to ensure a case sensitive argument detection
- CommandLine|contains: '--output-document'
selection_path:
CommandLine|contains: '/tmp/'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
medium
Download from Suspicious Dyndns Hosts
Detects download of certain file types from hosts with dynamic DNS names (selected list)
status testauthor Florian Roth (Nextron Systems)id 195c1119-ef07-4909-bb12-e66f5e07bf3c
Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/
status testauthor SOC Prime, Adam Swanid aac2fd97-bcba-491b-ad66-a6edf89c71bf
view Sigma YAML
title: Executable from Webdav
id: aac2fd97-bcba-491b-ad66-a6edf89c71bf
status: test
description: 'Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/'
references:
- http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html
- https://github.com/OTRF/detection-hackathon-apt29
author: 'SOC Prime, Adam Swan'
date: 2020-05-01
modified: 2021-11-27
tags:
- attack.command-and-control
- attack.t1105
logsource:
product: zeek
service: http
detection:
selection_webdav:
- c-useragent|contains: 'WebDAV'
- c-uri|contains: 'webdav'
selection_executable:
- resp_mime_types|contains: 'dosexec'
- c-uri|endswith: '.exe'
condition: selection_webdav and selection_executable
falsepositives:
- Unknown
level: medium
medium
File Download From Browser Process Via Inline URL
Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for example by launching the browser in a minimized state.
title: File Download From Browser Process Via Inline URL
id: 94771a71-ba41-4b6e-a757-b531372eaab6
status: test
description: Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for example by launching the browser in a minimized state.
references:
- https://twitter.com/mrd0x/status/1478116126005641220
- https://lolbas-project.github.io/lolbas/Binaries/Msedge/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-11
modified: 2025-10-27
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- '\brave.exe'
- '\chrome.exe'
- '\msedge.exe'
- '\opera.exe'
- '\vivaldi.exe'
selection_http:
CommandLine|contains: 'http'
selection_extensions:
- CommandLine|endswith:
- '.7z'
- '.dat'
- '.dll'
- '.exe'
- '.hta'
- '.ps1'
- '.psm1'
- '.txt'
- '.vbe'
- '.vbs'
- '.zip'
- CommandLine|contains:
- '.7z"'
- '.dat"'
- '.dll"'
- '.hta"'
- '.ps1"'
- '.psm1"'
- '.txt"'
- '.vbe"'
- '.vbs"'
- '.zip"'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_inline_file_download/info.yml
medium
File Download Via Bitsadmin
Detects usage of bitsadmin downloading a file
status testauthor Michael Haag, FPT.EagleEyeid d059842b-6b9d-4ed1-b5c3-5b89143c6ede
view Sigma YAML
title: File Download Via Bitsadmin
id: d059842b-6b9d-4ed1-b5c3-5b89143c6ede
status: test
description: Detects usage of bitsadmin downloading a file
references:
- https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
- https://isc.sans.edu/diary/22264
- https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/
author: Michael Haag, FPT.EagleEye
date: 2017-03-09
modified: 2023-02-15
tags:
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1197
- attack.s0190
- attack.t1036.003
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\bitsadmin.exe'
- OriginalFileName: 'bitsadmin.exe'
selection_cmd:
CommandLine|contains: ' /transfer '
selection_cli_1:
CommandLine|contains:
- ' /create '
- ' /addfile '
selection_cli_2:
CommandLine|contains: 'http'
condition: selection_img and (selection_cmd or all of selection_cli_*)
falsepositives:
- Some legitimate apps use this, but limited.
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_bitsadmin_download/info.yml
simulation:
- type: atomic-red-team
name: Windows - BITSAdmin BITS Download
technique: T1105
atomic_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b
medium
File Download Via Nscurl - MacOS
Detects the execution of the nscurl utility in order to download files.
status testauthor Daniel Cortezid 6d8a7cf1-8085-423b-b87d-7e880faabbdf
view Sigma YAML
title: File Download Via Nscurl - MacOS
id: 6d8a7cf1-8085-423b-b87d-7e880faabbdf
status: test
description: Detects the execution of the nscurl utility in order to download files.
references:
- https://www.loobins.io/binaries/nscurl/
- https://www.agnosticdev.com/content/how-diagnose-app-transport-security-issues-using-nscurl-and-openssl
- https://gist.github.com/nasbench/ca6ef95db04ae04ffd1e0b1ce709cadd
author: Daniel Cortez
date: 2024-06-04
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith: '/nscurl'
CommandLine|contains:
- '--download '
- '--download-directory '
- '--output '
- '-dir '
- '-dl '
- '-ld'
- '-o '
condition: selection
falsepositives:
- Legitimate usage of nscurl by administrators and users.
level: medium
medium
File Download via CertOC.EXE
Detects when a user downloads a file by using CertOC.exe
status testauthor Nasreddine Bencherchali (Nextron Systems)id 70ad0861-d1fe-491c-a45f-fa48148a300d
view Sigma YAML
title: File Download via CertOC.EXE
id: 70ad0861-d1fe-491c-a45f-fa48148a300d
related:
- id: b86f6dea-0b2f-41f5-bdcc-a057bd19cd6a
type: similar
status: test
description: Detects when a user downloads a file by using CertOC.exe
references:
- https://lolbas-project.github.io/lolbas/Binaries/Certoc/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-05-16
modified: 2023-10-18
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\certoc.exe'
- OriginalFileName: 'CertOC.exe'
selection_cli:
CommandLine|contains|all:
- '-GetCACAPS'
- 'http'
condition: all of selection*
falsepositives:
- Unknown
level: medium
medium
Hidden Flag Set On File/Directory Via Chflags - MacOS
Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS.
When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers.
status testauthor Omar Khaled (@beacon_exe)id 3b2c1059-ae5f-40b6-b5d4-6106d3ac20fe
view Sigma YAML
title: Hidden Flag Set On File/Directory Via Chflags - MacOS
id: 3b2c1059-ae5f-40b6-b5d4-6106d3ac20fe
status: test
description: |
Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS.
When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers.
references:
- https://www.sentinelone.com/labs/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/
- https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/
- https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf
- https://ss64.com/mac/chflags.html
author: Omar Khaled (@beacon_exe)
date: 2024-08-21
tags:
- attack.credential-access
- attack.command-and-control
- attack.stealth
- attack.t1218
- attack.t1564.004
- attack.t1552.001
- attack.t1105
logsource:
product: macos
category: process_creation
detection:
selection:
Image|endswith: '/chflags'
CommandLine|contains: 'hidden '
condition: selection
falsepositives:
- Legitimate usage of chflags by administrators and users.
level: medium
medium
Import LDAP Data Interchange Format File Via Ldifde.EXE
Detects the execution of "Ldifde.exe" with the import flag "-i". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.
status testauthor @gott_cyberid 6f535e01-ca1f-40be-ab8d-45b19c0c8b7f
view Sigma YAML
title: Import LDAP Data Interchange Format File Via Ldifde.EXE
id: 6f535e01-ca1f-40be-ab8d-45b19c0c8b7f
status: test
description: |
Detects the execution of "Ldifde.exe" with the import flag "-i". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.
references:
- https://twitter.com/0gtweet/status/1564968845726580736
- https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)
author: '@gott_cyber'
date: 2022-09-02
modified: 2023-03-14
tags:
- attack.command-and-control
- attack.stealth
- attack.t1218
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\ldifde.exe'
- OriginalFileName: 'ldifde.exe'
selection_cli:
CommandLine|contains|all:
- '-i'
- '-f'
condition: all of selection_*
falsepositives:
- Since the content of the files are unknown, false positives are expected
level: medium
medium
Local Network Connection Initiated By Script Interpreter
Detects a script interpreter (Wscript/Cscript) initiating a local network connection to download or execute a script hosted on a shared folder.
status testauthor frack113id 08249dc0-a28d-4555-8ba5-9255a198e08c
view Sigma YAML
title: Local Network Connection Initiated By Script Interpreter
id: 08249dc0-a28d-4555-8ba5-9255a198e08c
related:
- id: 992a6cae-db6a-43c8-9cec-76d7195c96fc
type: derived
status: test
description: |
Detects a script interpreter (Wscript/Cscript) initiating a local network connection to download or execute a script hosted on a shared folder.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md
author: frack113
date: 2022-08-28
modified: 2024-05-31
tags:
- attack.command-and-control
- attack.t1105
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
Image|endswith:
- '\wscript.exe'
- '\cscript.exe'
# Note: This list is added to avoid duplicate alerting with 992a6cae-db6a-43c8-9cec-76d7195c96fc
DestinationIp|cidr:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
condition: selection
falsepositives:
- Legitimate scripts
level: medium
medium
MsiExec Web Install
Detects suspicious msiexec process starts with web addresses as parameter
status testauthor Florian Roth (Nextron Systems)id f7b5f842-a6af-4da5-9e95-e32478f3cd2f
view Sigma YAML
title: MsiExec Web Install
id: f7b5f842-a6af-4da5-9e95-e32478f3cd2f
related:
- id: 8150732a-0c9d-4a99-82b9-9efb9b90c40c
type: similar
status: test
description: Detects suspicious msiexec process starts with web addresses as parameter
references:
- https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/
author: Florian Roth (Nextron Systems)
date: 2018-02-09
modified: 2022-01-07
tags:
- attack.stealth
- attack.t1218.007
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- ' msiexec'
- '://'
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: medium
medium
Potential COM Objects Download Cradles Usage - PS Script
Detects usage of COM objects that can be abused to download files in PowerShell by CLSID
status testauthor frack113id 3c7d1587-3b13-439f-9941-7d14313dbdfe
view Sigma YAML
title: Potential COM Objects Download Cradles Usage - PS Script
id: 3c7d1587-3b13-439f-9941-7d14313dbdfe
related:
- id: 02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf
type: similar
status: test
description: Detects usage of COM objects that can be abused to download files in PowerShell by CLSID
references:
- https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57
author: frack113
date: 2022-12-25
tags:
- attack.command-and-control
- attack.t1105
logsource:
product: windows
category: ps_script
definition: Script Block Logging must be enable
detection:
selection_1:
ScriptBlockText|contains: '[Type]::GetTypeFromCLSID('
selection_2:
ScriptBlockText|contains:
- '0002DF01-0000-0000-C000-000000000046'
- 'F6D90F16-9C73-11D3-B32E-00C04F990BB4'
- 'F5078F35-C551-11D3-89B9-0000F81FE221'
- '88d96a0a-f192-11d4-a65f-0040963251e5'
- 'AFBA6B42-5692-48EA-8141-DC517DCF0EF1'
- 'AFB40FFD-B609-40A3-9828-F88BBE11E4E3'
- '88d96a0b-f192-11d4-a65f-0040963251e5'
- '2087c2f4-2cef-4953-a8ab-66779b670495'
- '000209FF-0000-0000-C000-000000000046'
- '00024500-0000-0000-C000-000000000046'
condition: all of selection_*
falsepositives:
- Legitimate use of the library
level: medium
medium
Potential COM Objects Download Cradles Usage - Process Creation
Detects usage of COM objects that can be abused to download files in PowerShell by CLSID
status testauthor frack113id 02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf
view Sigma YAML
title: Potential COM Objects Download Cradles Usage - Process Creation
id: 02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf
related:
- id: 3c7d1587-3b13-439f-9941-7d14313dbdfe
type: similar
status: test
description: Detects usage of COM objects that can be abused to download files in PowerShell by CLSID
references:
- https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57
author: frack113
date: 2022-12-25
tags:
- attack.command-and-control
- attack.t1105
logsource:
product: windows
category: process_creation
detection:
selection_1:
CommandLine|contains: '[Type]::GetTypeFromCLSID('
selection_2:
CommandLine|contains:
- '0002DF01-0000-0000-C000-000000000046'
- 'F6D90F16-9C73-11D3-B32E-00C04F990BB4'
- 'F5078F35-C551-11D3-89B9-0000F81FE221'
- '88d96a0a-f192-11d4-a65f-0040963251e5'
- 'AFBA6B42-5692-48EA-8141-DC517DCF0EF1'
- 'AFB40FFD-B609-40A3-9828-F88BBE11E4E3'
- '88d96a0b-f192-11d4-a65f-0040963251e5'
- '2087c2f4-2cef-4953-a8ab-66779b670495'
- '000209FF-0000-0000-C000-000000000046'
- '00024500-0000-0000-C000-000000000046'
condition: all of selection_*
falsepositives:
- Legitimate use of the library
level: medium
medium
Potential DLL File Download Via PowerShell Invoke-WebRequest
Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest or Invoke-RestMethod cmdlets.
status testauthor Florian Roth (Nextron Systems), Hieu Tranid 0f0450f3-8b47-441e-a31b-15a91dc243e2
Potential Download/Upload Activity Using Type Command
Detects usage of the "type" command to download/upload data from WebDAV server
status testauthor Nasreddine Bencherchali (Nextron Systems)id aa0b3a82-eacc-4ec3-9150-b5a9a3e3f82f
view Sigma YAML
title: Potential Download/Upload Activity Using Type Command
id: aa0b3a82-eacc-4ec3-9150-b5a9a3e3f82f
status: test
description: Detects usage of the "type" command to download/upload data from WebDAV server
references:
- https://mr0range.com/a-new-lolbin-using-the-windows-type-command-to-upload-download-files-81d7b6179e22
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-14
tags:
- attack.command-and-control
- attack.t1105
logsource:
product: windows
category: process_creation
detection:
# Note that since built in CMD commands do not trigger a process creation. This would be detected only if used in a "/c" command
selection_upload:
CommandLine|contains|all:
- 'type '
- ' > \\\\'
selection_download:
CommandLine|contains|all:
- 'type \\\\'
- ' > ' # Space are added to increase atom length and speed up matching. If your backend can handle this remove the space
condition: 1 of selection_*
falsepositives:
- Unknown
level: medium
medium
Potential In-Memory Download And Compile Of Payloads
Detects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware
status testauthor Sohan G (D4rkCiph3r), Red Canary (idea)id 13db8d2e-7723-4c2c-93c1-a4d36994f7ef
view Sigma YAML
title: Potential In-Memory Download And Compile Of Payloads
id: 13db8d2e-7723-4c2c-93c1-a4d36994f7ef
status: test
description: Detects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware
references:
- https://redcanary.com/blog/mac-application-bundles/
author: Sohan G (D4rkCiph3r), Red Canary (idea)
date: 2023-08-22
tags:
- attack.command-and-control
- attack.execution
- attack.t1059.007
- attack.t1105
logsource:
category: process_creation
product: macos
detection:
selection:
CommandLine|contains|all:
- 'osacompile'
- 'curl'
condition: selection
falsepositives:
- Unknown
level: medium
medium
Potentially Suspicious File Creation by OpenEDR's ITSMService
Detects the creation of potentially suspicious files by OpenEDR's ITSMService process.
The ITSMService is responsible for remote management operations and can create files on the system through the Process Explorer or file management features.
While legitimate for IT operations, creation of executable or script files could indicate unauthorized file uploads, data staging, or malicious file deployment.
status experimentalauthor @kostastsaleid 9e4b7d3a-6f2c-4e9a-8d1b-3c5e7a9f2b4d
view Sigma YAML
title: Potentially Suspicious File Creation by OpenEDR's ITSMService
id: 9e4b7d3a-6f2c-4e9a-8d1b-3c5e7a9f2b4d
status: experimental
description: |
Detects the creation of potentially suspicious files by OpenEDR's ITSMService process.
The ITSMService is responsible for remote management operations and can create files on the system through the Process Explorer or file management features.
While legitimate for IT operations, creation of executable or script files could indicate unauthorized file uploads, data staging, or malicious file deployment.
author: '@kostastsale'
date: 2026-02-19
references:
- https://kostas-ts.medium.com/detecting-abuse-of-openedrs-permissive-edr-trial-a-security-researcher-s-perspective-fc55bf53972c
tags:
- attack.command-and-control
- attack.t1105
- attack.lateral-movement
- attack.t1570
- attack.t1219
logsource:
product: windows
category: file_event
detection:
selection_process:
Image|endswith: '\COMODO\Endpoint Manager\ITSMService.exe'
selection_suspicious_extensions:
TargetFilename|endswith:
- '.7z'
- '.bat'
- '.cmd'
- '.com'
- '.dll'
- '.exe'
- '.hta'
- '.js'
- '.pif'
- '.ps1'
- '.rar'
- '.scr'
- '.vbe'
- '.vbs'
- '.zip'
condition: all of selection_*
falsepositives:
- Legitimate OpenEDR file management operations
- Authorized remote file uploads by IT administrators
- Software deployment through OpenEDR console
level: medium