Home/Sigma rules
Sigma

Sigma detection rules

15 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

15 shown of 15
high
Code Executed Via Office Add-in XLL File
Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs
status test author frack113 id 36fbec91-fa1b-4d5d-8df1-8d8edcb632ad
view Sigma YAML 
title: Code Executed Via Office Add-in XLL File
id: 36fbec91-fa1b-4d5d-8df1-8d8edcb632ad
status: test
description: |
    Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.
    Office add-ins can be used to add functionality to Office programs
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137.006/T1137.006.md
author: frack113
date: 2021-12-28
tags:
    - attack.persistence
    - attack.t1137.006
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'new-object '
            - '-ComObject '
            - '.application'
            - '.RegisterXLL'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Outlook Macro Execution Without Warning Setting Enabled
Detects the modification of Outlook security setting to allow unprompted execution of macros.
status test author @ScoubiMtl id e3b50fa5-3c3f-444e-937b-0a99d33731cd
view Sigma YAML 
title: Outlook Macro Execution Without Warning Setting Enabled
id: e3b50fa5-3c3f-444e-937b-0a99d33731cd
status: test
description: Detects the modification of Outlook security setting to allow unprompted execution of macros.
references:
    - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53
author: '@ScoubiMtl'
date: 2021-04-05
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.command-and-control
    - attack.t1137
    - attack.t1008
    - attack.t1546
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Outlook\Security\Level'
        Details|contains: '0x00000001' # Enable all Macros
    condition: selection
falsepositives:
    - Unlikely
level: high
high
Potential Persistence Via Excel Add-in - Registry
Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.
status test author frack113 id 961e33d1-4f86-4fcf-80ab-930a708b2f82
view Sigma YAML 
title: Potential Persistence Via Excel Add-in - Registry
id: 961e33d1-4f86-4fcf-80ab-930a708b2f82
status: test
description: Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md
    - https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence
author: frack113
date: 2023-01-15
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.t1137.006
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains: 'Software\Microsoft\Office\'
        TargetObject|endswith: '\Excel\Options'
        Details|startswith: '/R '
        Details|endswith: '.xll'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Potential Persistence Via Microsoft Office Add-In
Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel).
status test author NVISO id 8e1cb247-6cf6-42fa-b440-3f27d57e9936
view Sigma YAML 
title: Potential Persistence Via Microsoft Office Add-In
id: 8e1cb247-6cf6-42fa-b440-3f27d57e9936
status: test
description: Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel).
references:
    - Internal Research
    - https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence
    - https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md
author: NVISO
date: 2020-05-11
modified: 2023-02-08
tags:
    - attack.persistence
    - attack.t1137.006
logsource:
    category: file_event
    product: windows
detection:
    selection_wlldropped:
        TargetFilename|contains: '\Microsoft\Word\Startup\'
        TargetFilename|endswith: '.wll'
    selection_xlldropped:
        TargetFilename|contains: '\Microsoft\Excel\Startup\'
        TargetFilename|endswith: '.xll'
    selection_xladropped:
        TargetFilename|contains: 'Microsoft\Excel\XLSTART\'
        TargetFilename|endswith: '.xlam'
    selection_generic:
        TargetFilename|contains: '\Microsoft\Addins\'
        TargetFilename|endswith:
            - '.xlam'
            - '.xla'
            - '.ppam'
    condition: 1 of selection_*
falsepositives:
    - Legitimate add-ins
level: high
high
Potential Persistence Via Microsoft Office Startup Folder
Detects creation of Microsoft Office files inside of one of the default startup folders in order to achieve persistence.
status test author Max Altgelt (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) id 0e20c89d-2264-44ae-8238-aeeaba609ece
view Sigma YAML 
title: Potential Persistence Via Microsoft Office Startup Folder
id: 0e20c89d-2264-44ae-8238-aeeaba609ece
status: test
description: Detects creation of Microsoft Office files inside of one of the default startup folders in order to achieve persistence.
references:
    - https://insight-jp.nttsecurity.com/post/102hojk/operation-restylink-apt-campaign-targeting-japanese-companies
    - https://learn.microsoft.com/en-us/office/troubleshoot/excel/use-startup-folders
author: Max Altgelt (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-02
modified: 2023-06-22
tags:
    - attack.persistence
    - attack.t1137
logsource:
    category: file_event
    product: windows
detection:
    selection_word_paths:
        - TargetFilename|contains: '\Microsoft\Word\STARTUP'
        - TargetFilename|contains|all:
              - '\Office'
              - '\Program Files'
              - '\STARTUP'
    selection_word_extension:
        TargetFilename|endswith:
            - '.doc'
            - '.docm'
            - '.docx'
            - '.dot'
            - '.dotm'
            - '.rtf'
    selection_excel_paths:
        - TargetFilename|contains: '\Microsoft\Excel\XLSTART'
        - TargetFilename|contains|all:
              - '\Office'
              - '\Program Files'
              - '\XLSTART'
    selection_excel_extension:
        TargetFilename|endswith:
            - '.xls'
            - '.xlsm'
            - '.xlsx'
            - '.xlt'
            - '.xltm'
    filter_main_office:
        Image|endswith:
            - '\WINWORD.exe'
            - '\EXCEL.exe'
    condition: (all of selection_word_* or all of selection_excel_*) and not filter_main_office
falsepositives:
    - Loading a user environment from a backup or a domain controller
    - Synchronization of templates
level: high
high
Potential Persistence Via Outlook Form
Detects the creation of a new Outlook form which can contain malicious code
status test author Tobias Michalski (Nextron Systems) id c3edc6a5-d9d4-48d8-930e-aab518390917
view Sigma YAML 
title: Potential Persistence Via Outlook Form
id: c3edc6a5-d9d4-48d8-930e-aab518390917
status: test
description: Detects the creation of a new Outlook form which can contain malicious code
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=79
    - https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form
    - https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/
author: Tobias Michalski (Nextron Systems)
date: 2021-06-10
modified: 2023-02-22
tags:
    - attack.persistence
    - attack.t1137.003
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith: '\outlook.exe'
        TargetFilename|contains:
            - '\AppData\Local\Microsoft\FORMS\IPM'
            - '\Local Settings\Application Data\Microsoft\Forms' # Windows XP
    condition: selection
falsepositives:
    - Legitimate use of outlook forms
level: high
high
Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting
Detects the modification of Outlook setting "LoadMacroProviderOnBoot" which if enabled allows the automatic loading of any configured VBA project/module
status test author Nasreddine Bencherchali (Nextron Systems) id 396ae3eb-4174-4b9b-880e-dc0364d78a19
view Sigma YAML 
title: Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting
id: 396ae3eb-4174-4b9b-880e-dc0364d78a19
status: test
description: Detects the modification of Outlook setting "LoadMacroProviderOnBoot" which if enabled allows the automatic loading of any configured VBA project/module
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53
    - https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2021-04-05
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.command-and-control
    - attack.t1137
    - attack.t1008
    - attack.t1546
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Outlook\LoadMacroProviderOnBoot'
        Details|contains: '0x00000001'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Suspicious Microsoft Office Child Process - MacOS
Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution
status test author Sohan G (D4rkCiph3r) id 69483748-1525-4a6c-95ca-90dc8d431b68
view Sigma YAML 
title: Suspicious Microsoft Office Child Process - MacOS
id: 69483748-1525-4a6c-95ca-90dc8d431b68
status: test
description: Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution
references:
    - https://redcanary.com/blog/applescript/
    - https://objective-see.org/blog/blog_0x4B.html
author: Sohan G (D4rkCiph3r)
date: 2023-01-31
modified: 2023-02-04
tags:
    - attack.execution
    - attack.persistence
    - attack.t1059.002
    - attack.t1137.002
    - attack.t1204.002
logsource:
    product: macos
    category: process_creation
detection:
    selection:
        ParentImage|contains:
            - 'Microsoft Word'
            - 'Microsoft Excel'
            - 'Microsoft PowerPoint'
            - 'Microsoft OneNote'
        Image|endswith:
            - '/bash'
            - '/curl'
            - '/dash'
            - '/fish'
            - '/osacompile'
            - '/osascript'
            - '/sh'
            - '/zsh'
            - '/python'
            - '/python3'
            - '/wget'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Suspicious Outlook Macro Created
Detects the creation of a macro file for Outlook.
status test author Nasreddine Bencherchali (Nextron Systems) id 117d3d3a-755c-4a61-b23e-9171146d094c
view Sigma YAML 
title: Suspicious Outlook Macro Created
id: 117d3d3a-755c-4a61-b23e-9171146d094c
related:
    - id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61
      type: derived
status: test
description: Detects the creation of a macro file for Outlook.
references:
    - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53
    - https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-08
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.command-and-control
    - attack.t1137
    - attack.t1008
    - attack.t1546
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|endswith: '\Microsoft\Outlook\VbaProject.OTM'
    filter:
        Image|endswith: '\outlook.exe'
    condition: selection and not filter
falsepositives:
    - Unlikely
level: high
medium
IE Change Domain Zone
Hides the file extension through modification of the registry
status test author frack113 id 45e112d0-7759-4c2a-aa36-9f8fb79d3393
view Sigma YAML 
title: IE Change Domain Zone
id: 45e112d0-7759-4c2a-aa36-9f8fb79d3393
related:
    - id: d88d0ab2-e696-4d40-a2ed-9790064e66b3
      type: derived
status: test
description: Hides the file extension through modification of the registry
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-4---add-domain-to-trusted-sites-zone
    - https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries
author: frack113
date: 2022-01-22
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.t1137
logsource:
    category: registry_set
    product: windows
detection:
    selection_domains:
        TargetObject|contains: \SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
    filter:
        Details:
            - DWORD (0x00000000) # My Computer
            - DWORD (0x00000001) # Local Intranet Zone
            - '(Empty)'
    condition: selection_domains and not filter
falsepositives:
    - Administrative scripts
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_change_security_zones/info.yml
simulation:
    - type: atomic-red-team
      name: Add Domain to Trusted Sites Zone
      technique: T1112
      atomic_guid: cf447677-5a4e-4937-a82c-e47d254afd57
medium
New Outlook Macro Created
Detects the creation of a macro file for Outlook.
status test author @ScoubiMtl id 8c31f563-f9a7-450c-bfa8-35f8f32f1f61
view Sigma YAML 
title: New Outlook Macro Created
id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61
related:
    - id: 117d3d3a-755c-4a61-b23e-9171146d094c
      type: derived
status: test
description: Detects the creation of a macro file for Outlook.
references:
    - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
author: '@ScoubiMtl'
date: 2021-04-05
modified: 2023-02-08
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.command-and-control
    - attack.t1137
    - attack.t1008
    - attack.t1546
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith: '\outlook.exe'
        TargetFilename|endswith: '\Microsoft\Outlook\VbaProject.OTM'
    condition: selection
falsepositives:
    - User genuinely creates a VB Macro for their email
level: medium
medium
Office Application Startup - Office Test
Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started
status test author omkar72 id 3d27f6dd-1c74-4687-b4fa-ca849d128d1c
view Sigma YAML 
title: Office Application Startup - Office Test
id: 3d27f6dd-1c74-4687-b4fa-ca849d128d1c
status: test
description: Detects the addition of office test registry that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started
references:
    - https://unit42.paloaltonetworks.com/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/
author: omkar72
date: 2020-10-25
modified: 2023-11-08
tags:
    - attack.persistence
    - attack.t1137.002
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|contains: '\Software\Microsoft\Office test\Special\Perf'
    condition: selection
falsepositives:
    - Unlikely
level: medium
medium
Outlook Security Settings Updated - Registry
Detects changes to the registry values related to outlook security settings
status test author frack113 id c3cefdf4-6703-4e1c-bad8-bf422fc5015a
view Sigma YAML 
title: Outlook Security Settings Updated - Registry
id: c3cefdf4-6703-4e1c-bad8-bf422fc5015a
related:
    - id: 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08 # EnableUnsafeClientMailRules
      type: similar
status: test
description: Detects changes to the registry values related to outlook security settings
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md
    - https://learn.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings
author: frack113
date: 2021-12-28
modified: 2026-01-09
tags:
    - attack.persistence
    - attack.t1137
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains|all:
            - '\SOFTWARE\Microsoft\Office\'
            - '\Outlook\Security\'
    filter_main_outlook:
        Image|startswith:
            - 'C:\Program Files\Microsoft Office\'
            - 'C:\Program Files (x86)\Microsoft Office\'
        Image|endswith: '\OUTLOOK.EXE'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Administrative activity
level: medium
medium
Potential Persistence Via Visual Studio Tools for Office
Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.
status test author Bhabesh Raj id 9d15044a-7cfe-4d23-8085-6ebc11df7685
view Sigma YAML 
title: Potential Persistence Via Visual Studio Tools for Office
id: 9d15044a-7cfe-4d23-8085-6ebc11df7685
status: test
description: Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.
references:
    - https://twitter.com/_vivami/status/1347925307643355138
    - https://vanmieghem.io/stealth-outlook-persistence/
author: Bhabesh Raj
date: 2021-01-10
modified: 2026-01-09
tags:
    - attack.t1137.006
    - attack.persistence
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains:
            - '\Software\Microsoft\Office\Outlook\Addins\'
            - '\Software\Microsoft\Office\Word\Addins\'
            - '\Software\Microsoft\Office\Excel\Addins\'
            - '\Software\Microsoft\Office\Powerpoint\Addins\'
            - '\Software\Microsoft\VSTO\Security\Inclusion\'
    filter_main_system:
        Image:
            - 'C:\Windows\System32\msiexec.exe'
            - 'C:\Windows\SysWOW64\msiexec.exe'
            - 'C:\Windows\System32\regsvr32.exe'
            - 'C:\Windows\SysWOW64\regsvr32.exe' # e.g. default Evernote installation
    filter_main_office_click_to_run:
        Image|startswith:
            - 'C:\Program Files\Common Files (x86)\Microsoft Shared\ClickToRun\'
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
        Image|endswith: '\OfficeClickToRun.exe'
    filter_main_integrator:
        Image:
            - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
            - 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
    filter_main_office_apps:
        Image|startswith:
            - 'C:\Program Files\Microsoft Office\OFFICE'
            - 'C:\Program Files (x86)\Microsoft Office\OFFICE'
            - 'C:\Program Files\Microsoft Office\Root\OFFICE'
            - 'C:\Program Files (x86)\Microsoft Office\Root\OFFICE'
            - 'C:\PROGRA~2\MICROS~2\Office'
        Image|endswith:
            - '\excel.exe'
            - '\Integrator.exe'
            - '\OneNote.exe'
            - '\outlook.exe'
            - '\powerpnt.exe'
            - '\Teams.exe'
            - '\visio.exe'
            - '\winword.exe'
    filter_main_vsto:
        Image|startswith:
            - 'C:\Program Files\Common Files\Microsoft Shared\VSTO\'
            - 'C:\Program Files (x86)\Microsoft Shared\VSTO\'
        Image|endswith: '\VSTOInstaller.exe'
    filter_optional_avg:
        Image:
            - 'C:\Program Files\AVG\Antivirus\RegSvr.exe'
            - 'C:\Program Files (x86)\AVG\Antivirus\RegSvr.exe'
        TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\'
    filter_optional_avast:
        Image:
            - 'C:\Program Files\Avast Software\Avast\RegSvr.exe'
            - 'C:\Program Files (x86)\Avast Software\Avast\RegSvr.exe'
        TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Avast.AsOutExt\'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate Addin Installation
level: medium
medium
Registry Modification to Hidden File Extension
Hides the file extension through modification of the registry
status test author frack113 id 5df86130-4e95-4a54-90f7-26541b40aec2
view Sigma YAML 
title: Registry Modification to Hidden File Extension
id: 5df86130-4e95-4a54-90f7-26541b40aec2
status: test
description: Hides the file extension through modification of the registry
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd
    - https://unit42.paloaltonetworks.com/ransomware-families/
    - https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A
author: frack113
date: 2022-01-22
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.t1137
logsource:
    category: registry_set
    product: windows
detection:
    selection_HideFileExt:
        TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt'
        Details: 'DWORD (0x00000001)'
    selection_Hidden:
        TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden'
        Details: 'DWORD (0x00000002)'
    condition: 1 of selection_*
falsepositives:
    - Administrative scripts
level: medium
Showing 1-15 of 15
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin