Home/Sigma rules
Sigma

Sigma detection rules

39 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

39 shown of 39
high
Custom File Open Handler Executes PowerShell
Detects the abuse of custom file open handler, executing powershell
status test author CD_R0M_ id 7530b96f-ad8e-431d-a04d-ac85cc461fdc
view Sigma YAML 
title: Custom File Open Handler Executes PowerShell
id: 7530b96f-ad8e-431d-a04d-ac85cc461fdc
status: test
description: Detects the abuse of custom file open handler, executing powershell
references:
    - https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/?cmp=30728
author: CD_R0M_
date: 2022-06-11
modified: 2023-08-17
tags:
    - attack.stealth
    - attack.t1202
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: 'shell\open\command\'
        Details|contains|all:
            - 'powershell'
            - '-command'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE
Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library
status test author Greg (rule) id ec8c4047-fad9-416a-8c81-0f479353d7f6
view Sigma YAML 
title: Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE
id: ec8c4047-fad9-416a-8c81-0f479353d7f6
status: test
description: Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library
references:
    - https://www.securonix.com/blog/detecting-microsoft-msdt-dogwalk/
author: Greg (rule)
date: 2022-06-17
modified: 2023-02-17
tags:
    - attack.stealth
    - attack.t1202
    - cve.2022-30190
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith: '\msdt.exe'
        ImageLoaded|endswith: '\sdiageng.dll'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Outlook EnableUnsafeClientMailRules Setting Enabled
Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
status test author Markus Neis, Nasreddine Bencherchali (Nextron Systems) id 55f0a3a1-846e-40eb-8273-677371b8d912
view Sigma YAML 
title: Outlook EnableUnsafeClientMailRules Setting Enabled
id: 55f0a3a1-846e-40eb-8273-677371b8d912
related:
    - id: 6763c6c8-bd01-4687-bc8d-4fa52cf8ba08 # Registry variation
      type: similar
status: test
description: Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
references:
    - https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=44
    - https://support.microsoft.com/en-us/topic/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro-in-outlook-2016-and-outlook-2013-e4964b72-173c-959d-5d7b-ead562979048
author: Markus Neis, Nasreddine Bencherchali (Nextron Systems)
date: 2018-12-27
modified: 2023-02-09
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains: '\Outlook\Security\EnableUnsafeClientMailRules'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Potential Arbitrary Command Execution Using Msdt.EXE
Detects processes leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability
status test author Nasreddine Bencherchali (Nextron Systems) id 258fc8ce-8352-443a-9120-8a11e4857fa5
view Sigma YAML 
title: Potential Arbitrary Command Execution Using Msdt.EXE
id: 258fc8ce-8352-443a-9120-8a11e4857fa5
status: test
description: Detects processes leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability
references:
    - https://twitter.com/nao_sec/status/1530196847679401984
    - https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/
    - https://twitter.com/_JohnHammond/status/1531672601067675648
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-05-29
modified: 2024-03-13
tags:
    - attack.stealth
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\msdt.exe'
        - OriginalFileName: 'msdt.exe'
    selection_cmd_inline:
        CommandLine|contains: 'IT_BrowseForFile='
    selection_cmd_answerfile_flag:
        CommandLine|contains: ' PCWDiagnostic'
    selection_cmd_answerfile_param:
        CommandLine|contains|windash: ' -af '
    condition: selection_img and (selection_cmd_inline or all of selection_cmd_answerfile_*)
falsepositives:
    - Unknown
level: high
high
Potential Arbitrary File Download Using Office Application
Detects potential arbitrary file download using a Microsoft Office application
status test author Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community id 4ae3e30b-b03f-43aa-87e3-b622f4048eed
view Sigma YAML 
title: Potential Arbitrary File Download Using Office Application
id: 4ae3e30b-b03f-43aa-87e3-b622f4048eed
related:
    - id: 0c79148b-118e-472b-bdb7-9b57b444cc19
      type: obsolete
status: test
description: Detects potential arbitrary file download using a Microsoft Office application
references:
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/
    - https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191
author: Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community
date: 2022-05-17
modified: 2023-06-22
tags:
    - attack.stealth
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\EXCEL.EXE'
              - '\POWERPNT.EXE'
              - '\WINWORD.exe'
        - OriginalFileName:
              - 'Excel.exe'
              - 'POWERPNT.EXE'
              - 'WinWord.exe'
    selection_http:
        CommandLine|contains:
            - 'http://'
            - 'https://'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
high
Potentially Suspicious Child Processes Spawned by ConHost
Detects suspicious child processes related to Windows Shell utilities spawned by `conhost.exe`, which could indicate malicious activity using trusted system components.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) id dfa03a09-8b92-4d83-8e74-f72839b1c407
view Sigma YAML 
title: Potentially Suspicious Child Processes Spawned by ConHost
id: dfa03a09-8b92-4d83-8e74-f72839b1c407
related:
    - id: 7dc2dedd-7603-461a-bc13-15803d132355
      type: similar
status: experimental
description: Detects suspicious child processes related to Windows Shell utilities spawned by `conhost.exe`, which could indicate malicious activity using trusted system components.
references:
    - https://tria.ge/241015-l98snsyeje/behavioral2
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-02-05
tags:
    - attack.stealth
    - attack.t1202
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\conhost.exe'
    selection_child:
        - Image|endswith:
              - '\cmd.exe'             # Windows Command Prompt
              - '\cscript.exe'         # Windows Script Host (used for scripting exploits)
              - '\mshta.exe'           # MSHTA (HTML Application Host, often abused)
              - '\powershell_ise.exe'  # PowerShell ISE
              - '\powershell.exe'      # Windows PowerShell
              - '\pwsh.exe'            # PowerShell Core
              - '\regsvr32.exe'        # Windows Registry Server (commonly used for exploits)
              - '\wscript.exe'         # Windows Script Host (for executing scripts)
        - OriginalFileName:
              - 'cmd.exe'
              - 'cscript.exe'
              - 'mshta.exe'
              - 'powershell_ise.exe'
              - 'powershell.exe'
              - 'pwsh.dll'
              - 'regsvr32.exe'
              - 'wscript.exe'
    condition: all of selection_*
falsepositives:
    - Legitimate administrative tasks using `conhost.exe` to spawn child processes such as `cmd.exe`, `powershell.exe`, or `regsvr32.exe`.
level: high
high
Potentially Suspicious Office Document Executed From Trusted Location
Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code.
status test author Nasreddine Bencherchali (Nextron Systems) id f99abdf0-6283-4e71-bd2b-b5c048a94743
view Sigma YAML 
title: Potentially Suspicious Office Document Executed From Trusted Location
id: f99abdf0-6283-4e71-bd2b-b5c048a94743
status: test
description: Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code.
references:
    - Internal Research
    - https://twitter.com/Max_Mal_/status/1633863678909874176
    - https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-security-hardening-policies-for-trusted-documents/ba-p/3023465
    - https://twitter.com/_JohnHammond/status/1588155401752788994
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-21
modified: 2023-10-18
tags:
    - attack.stealth
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        # Note: we add a parent shell to reduce FP. Add additional 3rd party shells that you might use
        ParentImage|endswith:
            - '\explorer.exe'
            - '\dopus.exe'
    selection_img:
        - Image|endswith:
              - '\EXCEL.EXE'
              - '\POWERPNT.EXE'
              - '\WINWORD.exe'
        - OriginalFileName:
              - 'Excel.exe'
              - 'POWERPNT.EXE'
              - 'WinWord.exe'
    selection_trusted_location:
        CommandLine|contains:
            # Note: these are the default locations. Admins/Users could add additional ones that you need to cover
            - '\AppData\Roaming\Microsoft\Templates'
            - '\AppData\Roaming\Microsoft\Word\Startup\'
            - '\Microsoft Office\root\Templates\'
            - '\Microsoft Office\Templates\'
    filter_main_dotx:
        # Note: We add this filter to avoid curious people clicking on template files
        CommandLine|endswith:
            - '.dotx'
            - '.xltx'
            - '.potx'
    condition: all of selection_* and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
high
Renamed NirCmd.EXE Execution
Detects the execution of a renamed "NirCmd.exe" binary based on the PE metadata fields.
status test author X__Junior (Nextron Systems) id 264982dc-dbad-4dce-b707-1e0d3e0f73d9
view Sigma YAML 
title: Renamed NirCmd.EXE Execution
id: 264982dc-dbad-4dce-b707-1e0d3e0f73d9
status: test
description: Detects the execution of a renamed "NirCmd.exe" binary based on the PE metadata fields.
references:
    - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
    - https://www.nirsoft.net/utils/nircmd.html
author: X__Junior (Nextron Systems)
date: 2024-03-11
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        OriginalFileName: 'NirCmd.exe'
    filter_main_img:
        Image|endswith:
            - '\nircmd.exe'
            - '\nircmdc.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
high
Renamed PAExec Execution
Detects execution of renamed version of PAExec. Often used by attackers
status test author Florian Roth (Nextron Systems), Jason Lynch id c4e49831-1496-40cf-8ce1-b53f942b02f9
view Sigma YAML 
title: Renamed PAExec Execution
id: c4e49831-1496-40cf-8ce1-b53f942b02f9
related:
    - id: 7b0666ad-3e38-4e3d-9bab-78b06de85f7b
      type: obsolete
status: test
description: Detects execution of renamed version of PAExec. Often used by attackers
references:
    - https://www.poweradmin.com/paexec/
    - https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf
author: Florian Roth (Nextron Systems), Jason Lynch
date: 2021-05-22
modified: 2024-11-23
tags:
    - attack.stealth
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Description: 'PAExec Application'
        - OriginalFileName: 'PAExec.exe'
        - Product|contains: 'PAExec'
        - Hashes|contains:
              - IMPHASH=11D40A7B7876288F919AB819CC2D9802
              - IMPHASH=6444f8a34e99b8f7d9647de66aabe516
              - IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f
              - IMPHASH=1a6cca4d5460b1710a12dea39e4a592c
    filter_main_known_location:
        - Image|endswith: '\paexec.exe'
        - Image|startswith: 'C:\Windows\PAExec-'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Weird admins that rename their tools
    - Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing
    - When executed with the "-s" flag. PAExec will copy itself to the "C:\Windows\" directory with a different name. Usually like this "PAExec-[XXXXX]-[ComputerName]"
level: high
high
Renamed PingCastle Binary Execution
Detects the execution of a renamed "PingCastle" binary based on the PE metadata fields.
status test author Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems) id 2433a154-bb3d-42e4-86c3-a26bdac91c45
view Sigma YAML 
title: Renamed PingCastle Binary Execution
id: 2433a154-bb3d-42e4-86c3-a26bdac91c45
status: test
description: Detects the execution of a renamed "PingCastle" binary based on the PE metadata fields.
references:
    - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
    - https://www.pingcastle.com/documentation/scanner/
author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
date: 2024-01-11
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - OriginalFileName:
              - 'PingCastleReporting.exe'
              - 'PingCastleCloud.exe'
              - 'PingCastle.exe'
        - CommandLine|contains:
              - '--scanner aclcheck'
              - '--scanner antivirus'
              - '--scanner computerversion'
              - '--scanner foreignusers'
              - '--scanner laps_bitlocker'
              - '--scanner localadmin'
              - '--scanner nullsession'
              - '--scanner nullsession-trust'
              - '--scanner oxidbindings'
              - '--scanner remote'
              - '--scanner share'
              - '--scanner smb'
              - '--scanner smb3querynetwork'
              - '--scanner spooler'
              - '--scanner startup'
              - '--scanner zerologon'
        - CommandLine|contains: '--no-enum-limit'
        - CommandLine|contains|all:
              - '--healthcheck'
              - '--level Full'
        - CommandLine|contains|all:
              - '--healthcheck'
              - '--server '
    filter_main_img:
        Image|endswith:
            - '\PingCastleReporting.exe'
            - '\PingCastleCloud.exe'
            - '\PingCastle.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
high
Renamed ZOHO Dctask64 Execution
Detects a renamed "dctask64.exe" execution, a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central. This binary can be abused for DLL injection, arbitrary command and process execution.
status test author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) id 340a090b-c4e9-412e-bb36-b4b16fe96f9b
view Sigma YAML 
title: Renamed ZOHO Dctask64 Execution
id: 340a090b-c4e9-412e-bb36-b4b16fe96f9b
status: test
description: |
    Detects a renamed "dctask64.exe" execution, a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central.
    This binary can be abused for DLL injection, arbitrary command and process execution.
references:
    - https://twitter.com/gN3mes1s/status/1222088214581825540
    - https://twitter.com/gN3mes1s/status/1222095963789111296
    - https://twitter.com/gN3mes1s/status/1222095371175911424
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2020-01-28
modified: 2025-01-22
tags:
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1036
    - attack.t1055.001
    - attack.t1202
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Hashes|contains:
            - 'IMPHASH=6834B1B94E49701D77CCB3C0895E1AFD'
            - 'IMPHASH=1BB6F93B129F398C7C4A76BB97450BBA'
            - 'IMPHASH=FAA2AC19875FADE461C8D89DCF2710A3'
            - 'IMPHASH=F1039CED4B91572AB7847D26032E6BBF'
    filter_main_legit_name:
        Image|endswith: '\dctask64.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
high
Rundll32 Execution Without CommandLine Parameters
Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity
status test author Florian Roth (Nextron Systems) id 1775e15e-b61b-4d14-a1a3-80981298085a
view Sigma YAML 
title: Rundll32 Execution Without CommandLine Parameters
id: 1775e15e-b61b-4d14-a1a3-80981298085a
status: test
description: Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity
references:
    - https://www.cobaltstrike.com/help-opsec
    - https://twitter.com/ber_m1ng/status/1397948048135778309
author: Florian Roth (Nextron Systems)
date: 2021-05-27
modified: 2023-08-31
tags:
    - attack.stealth
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|endswith:
            - '\rundll32.exe'
            - '\rundll32.exe"'
            - '\rundll32'
    filter:
        ParentImage|contains:
            - '\AppData\Local\'
            - '\Microsoft\Edge\'
    condition: selection and not filter
falsepositives:
    - Possible but rare
level: high
high
Suspicious Child Process Of BgInfo.EXE
Detects suspicious child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
status test author Nasreddine Bencherchali (Nextron Systems) id 811f459f-9231-45d4-959a-0266c6311987
view Sigma YAML 
title: Suspicious Child Process Of BgInfo.EXE
id: 811f459f-9231-45d4-959a-0266c6311987
related:
    - id: aaf46cdc-934e-4284-b329-34aa701e3771
      type: similar
status: test
description: Detects suspicious child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
references:
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/
    - https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-16
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.005
    - attack.t1218
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith:
            - '\bginfo.exe'
            - '\bginfo64.exe'
    selection_child:
        - Image|endswith:
              - '\calc.exe'
              - '\cmd.exe'
              - '\cscript.exe'
              - '\mshta.exe'
              - '\notepad.exe'
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\wscript.exe'
        - Image|contains:
              - '\AppData\Local\'
              - '\AppData\Roaming\'
              - ':\Users\Public\'
              - ':\Temp\'
              - ':\Windows\Temp\'
              - ':\PerfLogs\'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
high
Suspicious Remote Child Process From Outlook
Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).
status test author Markus Neis, Nasreddine Bencherchali (Nextron Systems) id e212d415-0e93-435f-9e1a-f29005bb4723
view Sigma YAML 
title: Suspicious Remote Child Process From Outlook
id: e212d415-0e93-435f-9e1a-f29005bb4723
related:
    - id: 208748f7-881d-47ac-a29c-07ea84bf691d # Outlook Child Processes
      type: similar
status: test
description: Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).
references:
    - https://github.com/sensepost/ruler
    - https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=49
author: Markus Neis, Nasreddine Bencherchali (Nextron Systems)
date: 2018-12-27
modified: 2023-02-09
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\outlook.exe'
        Image|startswith: '\\\\'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Suspicious Service Binary Directory
Detects a service binary running in a suspicious directory
status test author Florian Roth (Nextron Systems) id 883faa95-175a-4e22-8181-e5761aeb373c
view Sigma YAML 
title: Suspicious Service Binary Directory
id: 883faa95-175a-4e22-8181-e5761aeb373c
status: test
description: Detects a service binary running in a suspicious directory
references:
    - https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/
author: Florian Roth (Nextron Systems)
date: 2021-03-09
modified: 2022-10-09
tags:
    - attack.stealth
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|contains:
            - '\Users\Public\'
            - '\$Recycle.bin'
            - '\Users\All Users\'
            - '\Users\Default\'
            - '\Users\Contacts\'
            - '\Users\Searches\'
            - 'C:\Perflogs\'
            - '\config\systemprofile\'
            - '\Windows\Fonts\'
            - '\Windows\IME\'
            - '\Windows\addins\'
        ParentImage|endswith:
            - '\services.exe'
            - '\svchost.exe'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Suspicious Splwow64 Without Params
Detects suspicious Splwow64.exe process without any command line parameters
status test author Florian Roth (Nextron Systems) id 1f1a8509-2cbb-44f5-8751-8e1571518ce2
view Sigma YAML 
title: Suspicious Splwow64 Without Params
id: 1f1a8509-2cbb-44f5-8751-8e1571518ce2
status: test
description: Detects suspicious Splwow64.exe process without any command line parameters
references:
    - https://twitter.com/sbousseaden/status/1429401053229891590?s=12
author: Florian Roth (Nextron Systems)
date: 2021-08-23
modified: 2022-12-25
tags:
    - attack.stealth
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\splwow64.exe'
        CommandLine|endswith: 'splwow64.exe'
    condition: selection
falsepositives:
    - Unknown
level: high
high
Uncommon Child Process Of Setres.EXE
Detects uncommon child process of Setres.EXE. Setres.EXE is a Windows server only process and tool that can be used to set the screen resolution. It can potentially be abused in order to launch any arbitrary file with a name containing the word "choice" from the current execution path.
status test author @gott_cyber, Nasreddine Bencherchali (Nextron Systems) id 835e75bf-4bfd-47a4-b8a6-b766cac8bcb7
view Sigma YAML 
title: Uncommon Child Process Of Setres.EXE
id: 835e75bf-4bfd-47a4-b8a6-b766cac8bcb7
status: test
description: |
    Detects uncommon child process of Setres.EXE.
    Setres.EXE is a Windows server only process and tool that can be used to set the screen resolution.
    It can potentially be abused in order to launch any arbitrary file with a name containing the word "choice" from the current execution path.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Setres/
    - https://twitter.com/0gtweet/status/1583356502340870144
    - https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html
    - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)
author: '@gott_cyber, Nasreddine Bencherchali (Nextron Systems)'
date: 2022-12-11
modified: 2024-06-26
tags:
    - attack.stealth
    - attack.t1218
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\setres.exe'
        Image|contains: '\choice'
    filter_main_legit_location:
        Image|endswith:
            - 'C:\Windows\System32\choice.exe'
            - 'C:\Windows\SysWOW64\choice.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unlikely
level: high
high
WSL Kali-Linux Usage
Detects the use of Kali Linux through Windows Subsystem for Linux
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) id 6f1a11aa-4b8a-4b7f-9e13-4d3e4ff0e0d4
view Sigma YAML 
title: WSL Kali-Linux Usage
id: 6f1a11aa-4b8a-4b7f-9e13-4d3e4ff0e0d4
status: experimental
description: Detects the use of Kali Linux through Windows Subsystem for Linux
references:
    - https://medium.com/@redfanatic7/running-kali-linux-on-windows-51ad95166e6e
    - https://learn.microsoft.com/en-us/windows/wsl/install
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-10
tags:
    - attack.stealth
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection_img_appdata:
        - Image|contains|all:
              - ':\Users\'
              - '\AppData\Local\packages\KaliLinux'
        - Image|contains|all:
              - ':\Users\'
              - '\AppData\Local\Microsoft\WindowsApps\kali.exe'
    selection_img_windowsapps:
        Image|contains: ':\Program Files\WindowsApps\KaliLinux.'
        Image|endswith: '\kali.exe'
    selection_kali_wsl_parent:
        ParentImage|endswith:
            - '\wsl.exe'
            - '\wslhost.exe'
    selection_kali_wsl_child:
        - Image|contains:
              - '\kali.exe'
              - '\KaliLinux'
        - CommandLine|contains:
              - 'Kali.exe'
              - 'Kali-linux'
              - 'kalilinux'
    filter_main_install_uninstall:
        CommandLine|contains:
            - ' -i '
            - ' --install '
            - ' --unregister '
    condition: 1 of selection_img_* or all of selection_kali_* and not 1 of filter_main_*
falsepositives:
    - Legitimate installation or usage of Kali Linux WSL by administrators or security teams
level: high
medium
Findstr Launching .lnk File
Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack
status test author Trent Liffick id 33339be3-148b-4e16-af56-ad16ec6c7e7b
view Sigma YAML 
title: Findstr Launching .lnk File
id: 33339be3-148b-4e16-af56-ad16ec6c7e7b
status: test
description: Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack
references:
    - https://www.bleepingcomputer.com/news/security/hhsgov-open-redirect-used-by-coronavirus-phishing-to-spread-malware/
author: Trent Liffick
date: 2020-05-01
modified: 2024-01-15
tags:
    - attack.stealth
    - attack.t1036
    - attack.t1202
    - attack.t1027.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\find.exe'
              - '\findstr.exe'
        - OriginalFileName:
              - 'FIND.EXE'
              - 'FINDSTR.EXE'
    selection_cli:
        CommandLine|endswith:
            - '.lnk'
            - '.lnk"'
            - ".lnk'"
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
medium
Indirect Command Execution From Script File Via Bash.EXE
Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.
status test author Nasreddine Bencherchali (Nextron Systems) id 2d22a514-e024-4428-9dba-41505bd63a5b
view Sigma YAML 
title: Indirect Command Execution From Script File Via Bash.EXE
id: 2d22a514-e024-4428-9dba-41505bd63a5b
related:
    - id: 5edc2273-c26f-406c-83f3-f4d948e740dd
      type: similar
status: test
description: |
    Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly.
    This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Bash/
    - https://linux.die.net/man/1/bash
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-15
tags:
    - attack.stealth
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith:
              - ':\Windows\System32\bash.exe'
              - ':\Windows\SysWOW64\bash.exe'
        - OriginalFileName: 'Bash.exe'
    filter_main_cli_flag:
        CommandLine|contains:
            # Note: we're not interested in flags being passed first
            - 'bash.exe -'
            - 'bash -'
    filter_main_no_cli:
        CommandLine: null
    filter_main_empty:
        CommandLine: ''
    filter_main_no_flag:
        CommandLine:
            - 'bash.exe'
            - 'bash'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium
medium
Indirect Command Execution via SFTP ProxyCommand
Detects the use of SFTP.exe to execute commands indirectly via ProxyCommand parameter. Threat actors were seen leveraging this legitimate Windows binary to bypass security controls and execute arbitrary commands while evading detection.
status experimental author Swachchhanda Shrawan Poudel (Nextron Systems) id 762bb580-79b4-40f4-8b9e-9349ce1710f4
view Sigma YAML 
title: Indirect Command Execution via SFTP ProxyCommand
id: 762bb580-79b4-40f4-8b9e-9349ce1710f4
status: experimental
description: |
    Detects the use of SFTP.exe to execute commands indirectly via ProxyCommand parameter.
    Threat actors were seen leveraging this legitimate Windows binary to bypass security controls and execute arbitrary commands while evading detection.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Sftp/
    - https://news.sophos.com/en-us/2025/05/09/lumma-stealer-coming-and-going/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-04-27
tags:
    - attack.stealth
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\sftp.exe'
        CommandLine|contains: 'ProxyCommand='
    condition: selection
falsepositives:
    - Legitimate use of SFTP with proxy commands for administration or networking tasks
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_lolbin_sftp_indirect_cmd_execution/info.yml
medium
Indirect Inline Command Execution Via Bash.EXE
Detects execution of Microsoft bash launcher with the "-c" flag. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.
status test author frack113 id 5edc2273-c26f-406c-83f3-f4d948e740dd
view Sigma YAML 
title: Indirect Inline Command Execution Via Bash.EXE
id: 5edc2273-c26f-406c-83f3-f4d948e740dd
related:
    - id: 2d22a514-e024-4428-9dba-41505bd63a5b
      type: similar
status: test
description: |
    Detects execution of Microsoft bash launcher with the "-c" flag.
    This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Bash/
author: frack113
date: 2021-11-24
modified: 2023-08-15
tags:
    - attack.stealth
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - ':\Windows\System32\bash.exe'
              - ':\Windows\SysWOW64\bash.exe'
        - OriginalFileName: 'Bash.exe'
    selection_cli:
        CommandLine|contains: ' -c '
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
medium
Potential Arbitrary Command Execution Via FTP.EXE
Detects execution of "ftp.exe" script with the "-s" or "/s" flag and any child processes ran by "ftp.exe".
status test author Victor Sergeev, oscd.community id 06b401f4-107c-4ff9-947f-9ec1e7649f1e
view Sigma YAML 
title: Potential Arbitrary Command Execution Via FTP.EXE
id: 06b401f4-107c-4ff9-947f-9ec1e7649f1e
status: test
description: Detects execution of "ftp.exe" script with the "-s" or "/s" flag and any child processes ran by "ftp.exe".
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Ftp/
author: Victor Sergeev, oscd.community
date: 2020-10-09
modified: 2024-04-23
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\ftp.exe'
    selection_child_img:
        - Image|endswith: '\ftp.exe'
        - OriginalFileName: 'ftp.exe'
    selection_child_cli:
        CommandLine|contains|windash: '-s:'
    condition: selection_parent or all of selection_child_*
falsepositives:
    - Unknown
level: medium
medium
Potential Arbitrary DLL Load Using Winword
Detects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag.
status test author Victor Sergeev, oscd.community id f7375e28-5c14-432f-b8d1-1db26c832df3
view Sigma YAML 
title: Potential Arbitrary DLL Load Using Winword
id: f7375e28-5c14-432f-b8d1-1db26c832df3
related:
    - id: 2621b3a6-3840-4810-ac14-a02426086171
      type: obsolete
status: test
description: Detects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag.
references:
    - https://github.com/D4Vinci/One-Lin3r/blob/9fdfa5f0b9c698dfbd4cdfe7d2473192777ae1c6/one_lin3r/core/liners/windows/cmd/dll_loader_word.py
author: Victor Sergeev, oscd.community
date: 2020-10-09
modified: 2023-03-29
tags:
    - attack.stealth
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\WINWORD.exe'
        - OriginalFileName: 'WinWord.exe'
    selection_dll:
        CommandLine|contains|all:
            - '/l '
            - '.dll'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
medium
Potential Arbitrary File Download Via Cmdl32.EXE
Detects execution of Cmdl32 with the "/vpn" and "/lan" flags. Attackers can abuse this utility in order to download arbitrary files via a configuration file. Inspect the location and the content of the file passed as an argument in order to determine if it is suspicious.
status test author frack113 id f37aba28-a9e6-4045-882c-d5004043b337
view Sigma YAML 
title: Potential Arbitrary File Download Via Cmdl32.EXE
id: f37aba28-a9e6-4045-882c-d5004043b337
status: test
description: |
    Detects execution of Cmdl32 with the "/vpn" and "/lan" flags.
    Attackers can abuse this utility in order to download arbitrary files via a configuration file.
    Inspect the location and the content of the file passed as an argument in order to determine if it is suspicious.
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/
    - https://twitter.com/SwiftOnSecurity/status/1455897435063074824
    - https://github.com/LOLBAS-Project/LOLBAS/pull/151
author: frack113
date: 2021-11-03
modified: 2024-04-22
tags:
    - attack.execution
    - attack.stealth
    - attack.t1218
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\cmdl32.exe'
        - OriginalFileName: CMDL32.EXE
    selection_cli:
        CommandLine|contains|all:
            - '/vpn'
            - '/lan'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
medium
Potential Binary Impersonating Sysinternals Tools
Detects binaries that use the same name as legitimate sysinternals tools to evade detection. This rule looks for the execution of binaries that are named similarly to Sysinternals tools. Adversary may rename their malicious tools as legitimate Sysinternals tools to evade detection.
status test author frack113, Swachchhanda Shrawan Poudel (Nextron Systems) id 7cce6fc8-a07f-4d84-a53e-96e1879843c9
view Sigma YAML 
title: Potential Binary Impersonating Sysinternals Tools
id: 7cce6fc8-a07f-4d84-a53e-96e1879843c9
status: test
description: |
    Detects binaries that use the same name as legitimate sysinternals tools to evade detection.
    This rule looks for the execution of binaries that are named similarly to Sysinternals tools.
    Adversary may rename their malicious tools as legitimate Sysinternals tools to evade detection.
references:
    - https://learn.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite
author: frack113, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2021-12-20
modified: 2025-04-12
tags:
    - attack.execution
    - attack.stealth
    - attack.t1218
    - attack.t1202
    - attack.t1036.005
logsource:
    category: process_creation
    product: windows
detection:
    selection_exe:
        Image|endswith:
            - '\accesschk.exe'
            - '\accesschk64.exe'
            - '\AccessEnum.exe'
            - '\ADExplorer.exe'
            - '\ADExplorer64.exe'
            - '\ADInsight.exe'
            - '\ADInsight64.exe'
            - '\adrestore.exe'
            - '\adrestore64.exe'
            - '\Autologon.exe'
            - '\Autologon64.exe'
            - '\Autoruns.exe'
            - '\Autoruns64.exe'
            - '\autorunsc.exe'
            - '\autorunsc64.exe'
            - '\Bginfo.exe'
            - '\Bginfo64.exe'
            - '\Cacheset.exe'
            - '\Cacheset64.exe'
            - '\Clockres.exe'
            - '\Clockres64.exe'
            - '\Contig.exe'
            - '\Contig64.exe'
            - '\Coreinfo.exe'
            - '\Coreinfo64.exe'
            - '\CPUSTRES.EXE'
            - '\CPUSTRES64.EXE'
            - '\ctrl2cap.exe'
            - '\Dbgview.exe'
            - '\dbgview64.exe'
            - '\Desktops.exe'
            - '\Desktops64.exe'
            - '\disk2vhd.exe'
            - '\disk2vhd64.exe'
            - '\diskext.exe'
            - '\diskext64.exe'
            - '\Diskmon.exe'
            - '\Diskmon64.exe'
            - '\DiskView.exe'
            - '\DiskView64.exe'
            - '\du.exe'
            - '\du64.exe'
            - '\efsdump.exe'
            - '\FindLinks.exe'
            - '\FindLinks64.exe'
            - '\handle.exe'
            - '\handle64.exe'
            - '\hex2dec.exe'
            - '\hex2dec64.exe'
            - '\junction.exe'
            - '\junction64.exe'
            - '\ldmdump.exe'
            - '\listdlls.exe'
            - '\listdlls64.exe'
            - '\livekd.exe'
            - '\livekd64.exe'
            - '\loadOrd.exe'
            - '\loadOrd64.exe'
            - '\loadOrdC.exe'
            - '\loadOrdC64.exe'
            - '\logonsessions.exe'
            - '\logonsessions64.exe'
            - '\movefile.exe'
            - '\movefile64.exe'
            - '\notmyfault.exe'
            - '\notmyfault64.exe'
            - '\notmyfaultc.exe'
            - '\notmyfaultc64.exe'
            - '\ntfsinfo.exe'
            - '\ntfsinfo64.exe'
            - '\pendmoves.exe'
            - '\pendmoves64.exe'
            - '\pipelist.exe'
            - '\pipelist64.exe'
            - '\portmon.exe'
            - '\procdump.exe'
            - '\procdump64.exe'
            - '\procexp.exe'
            - '\procexp64.exe'
            - '\Procmon.exe'
            - '\Procmon64.exe'
            - '\psExec.exe'
            - '\psExec64.exe'
            - '\psfile.exe'
            - '\psfile64.exe'
            - '\psGetsid.exe'
            - '\psGetsid64.exe'
            - '\psInfo.exe'
            - '\psInfo64.exe'
            - '\pskill.exe'
            - '\pskill64.exe'
            - '\pslist.exe'
            - '\pslist64.exe'
            - '\psLoggedon.exe'
            - '\psLoggedon64.exe'
            - '\psloglist.exe'
            - '\psloglist64.exe'
            - '\pspasswd.exe'
            - '\pspasswd64.exe'
            - '\psping.exe'
            - '\psping64.exe'
            - '\psService.exe'
            - '\psService64.exe'
            - '\psshutdown.exe'
            - '\psshutdown64.exe'
            - '\pssuspend.exe'
            - '\pssuspend64.exe'
            - '\RAMMap.exe'
            - '\RAMMap64.exe'
            - '\RDCMan.exe'
            - '\RegDelNull.exe'
            - '\RegDelNull64.exe'
            - '\regjump.exe'
            - '\ru.exe'
            - '\ru64.exe'
            - '\sdelete.exe'
            - '\sdelete64.exe'
            - '\ShareEnum.exe'
            - '\ShareEnum64.exe'
            - '\shellRunas.exe'
            - '\sigcheck.exe'
            - '\sigcheck64.exe'
            - '\streams.exe'
            - '\streams64.exe'
            - '\strings.exe'
            - '\strings64.exe'
            - '\sync.exe'
            - '\sync64.exe'
            - '\Sysmon.exe'
            - '\Sysmon64.exe'
            - '\tcpvcon.exe'
            - '\tcpvcon64.exe'
            - '\tcpview.exe'
            - '\tcpview64.exe'
            - '\Testlimit.exe'
            - '\Testlimit64.exe'
            - '\vmmap.exe'
            - '\vmmap64.exe'
            - '\Volumeid.exe'
            - '\Volumeid64.exe'
            - '\whois.exe'
            - '\whois64.exe'
            - '\Winobj.exe'
            - '\Winobj64.exe'
            - '\ZoomIt.exe'
            - '\ZoomIt64.exe'
    selection_arm64:
        Image|endswith:
            - '\accesschk64a.exe'
            - '\ADExplorer64a.exe'
            - '\ADInsight64a.exe'
            - '\adrestore64a.exe'
            - '\Autologon64a.exe'
            - '\Autoruns64a.exe'
            - '\autorunsc64a.exe'
            - '\Clockres64a.exe'
            - '\Contig64a.exe'
            - '\Coreinfo64a.exe'
            - '\Dbgview64a.exe'
            - '\disk2vhd64a.exe'
            - '\diskext64a.exe'
            - '\DiskView64a.exe'
            - '\du64a.exe'
            - '\FindLinks64a.exe'
            - '\handle64a.exe'
            - '\hex2dec64a.exe'
            - '\junction64a.exe'
            - '\LoadOrd64a.exe'
            - '\LoadOrdC64a.exe'
            - '\logonsessions64a.exe'
            - '\movefile64a.exe'
            - '\notmyfault64a.exe'
            - '\notmyfaultc64a.exe'
            - '\pendmoves64a.exe'
            - '\pipelist64a.exe'
            - '\procdump64a.exe'
            - '\procexp64a.exe'
            - '\Procmon64a.exe'
            - '\PsExec64a.exe'
            - '\psfile64a.exe'
            - '\PsGetsid64a.exe'
            - '\PsInfo64a.exe'
            - '\pskill64a.exe'
            - '\psloglist64a.exe'
            - '\pspasswd64a.exe'
            - '\psping64a.exe'
            - '\PsService64a.exe'
            - '\pssuspend64a.exe'
            - '\RAMMap64a.exe'
            - '\RegDelNull64a.exe'
            - '\ru64a.exe'
            - '\sdelete64a.exe'
            - '\sigcheck64a.exe'
            - '\streams64a.exe'
            - '\strings64a.exe'
            - '\sync64a.exe'
            - '\Sysmon64a.exe'
            - '\tcpvcon64a.exe'
            - '\tcpview64a.exe'
            - '\vmmap64a.exe'
            - '\whois64a.exe'
            - '\Winobj64a.exe'
            - '\ZoomIt64a.exe'
    filter_valid:
        - Company:
              - 'Sysinternals - www.sysinternals.com'
              - 'Sysinternals'
        - Product|startswith: 'Sysinternals'
    filter_empty:
        - Company: null
        - Product: null
    condition: 1 of selection_* and not 1 of filter_*
falsepositives:
    - Unknown
level: medium
medium
Potentially Suspicious Child Process Of VsCode
Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.
status test author Nasreddine Bencherchali (Nextron Systems) id 5a3164f2-b373-4152-93cf-090b13c12d27
view Sigma YAML 
title: Potentially Suspicious Child Process Of VsCode
id: 5a3164f2-b373-4152-93cf-090b13c12d27
status: test
description: Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.
references:
    - https://twitter.com/nas_bench/status/1618021838407495681
    - https://twitter.com/nas_bench/status/1618021415852335105
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-26
modified: 2023-10-25
tags:
    - attack.execution
    - attack.stealth
    - attack.t1218
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\code.exe'
    selection_children_images:
        Image|endswith:
            - '\calc.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\cscript.exe'
            - '\wscript.exe'
    selection_children_cli:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\cmd.exe'
        CommandLine|contains:
            - 'Invoke-Expressions'
            - 'IEX'
            - 'Invoke-Command'
            - 'ICM'
            - 'DownloadString'
            - 'rundll32'
            - 'regsvr32'
            - 'wscript'
            - 'cscript'
    selection_children_paths:
        Image|contains:
            # Add more suspicious locations
            - ':\Users\Public\'
            - ':\Windows\Temp\'
            - ':\Temp\'
    condition: selection_parent and 1 of selection_children_*
falsepositives:
    - In development environment where VsCode is used heavily. False positives may occur when developers use task to compile or execute different types of code. Remove or add processes accordingly
level: medium
medium
Proxy Execution via Vshadow
Detects the invocation of vshadow.exe with the -exec parameter that executes a specified script or command after the shadow copies are created but before the VShadow tool exits. VShadow is a command-line tool that you can use to create and manage volume shadow copies. While legitimate backup or administrative scripts may use this flag, attackers can leverage this parameter to proxy the execution of malware.
status experimental author David Faiss id d7c75059-2901-4578-b209-8837fd31c6a8
view Sigma YAML 
title: Proxy Execution via Vshadow
id: d7c75059-2901-4578-b209-8837fd31c6a8
status: experimental
description: |
    Detects the invocation of vshadow.exe with the -exec parameter that executes a specified script or command after the shadow copies are created but before the VShadow tool exits.
    VShadow is a command-line tool that you can use to create and manage volume shadow copies. While legitimate backup or administrative scripts may use this flag,
    attackers can leverage this parameter to proxy the execution of malware.
author: David Faiss
date: 2025-05-26
references:
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Vshadow/
    - https://learn.microsoft.com/en-us/windows/win32/vss/vshadow-tool-and-sample
tags:
    - attack.stealth
    - attack.t1202
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\vshadow.exe'
        - OriginalFileName: 'vshadow.exe'
    selection_cli:
        CommandLine|contains: '-exec'
    condition: all of selection_*
falsepositives:
    - System backup or administrator tools
    - Legitimate administrative scripts
level: medium
medium
Renamed CURL.EXE Execution
Detects the execution of a renamed "CURL.exe" binary based on the PE metadata fields
status test author X__Junior (Nextron Systems) id 7530cd3d-7671-43e3-b209-976966f6ea48
view Sigma YAML 
title: Renamed CURL.EXE Execution
id: 7530cd3d-7671-43e3-b209-976966f6ea48
status: test
description: Detects the execution of a renamed "CURL.exe" binary based on the PE metadata fields
references:
    - https://twitter.com/Kostastsale/status/1700965142828290260
author: X__Junior (Nextron Systems)
date: 2023-09-11
modified: 2023-10-12
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - OriginalFileName: 'curl.exe'
        - Description: 'The curl executable'
    filter_main_img:
        Image|contains: '\curl'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_curl/info.yml
medium
Renamed FTP.EXE Execution
Detects the execution of a renamed "ftp.exe" binary based on the PE metadata fields
status test author Victor Sergeev, oscd.community id 277a4393-446c-449a-b0ed-7fdc7795244c
view Sigma YAML 
title: Renamed FTP.EXE Execution
id: 277a4393-446c-449a-b0ed-7fdc7795244c
status: test
description: Detects the execution of a renamed "ftp.exe" binary based on the PE metadata fields
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Ftp/
author: Victor Sergeev, oscd.community
date: 2020-10-09
modified: 2023-02-03
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection_original:
        OriginalFileName: 'ftp.exe'
    filter_img:
        Image|endswith: '\ftp.exe'
    condition: selection_original and not filter_img
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_renamed_ftp/info.yml
medium
Suspicious Cabinet File Execution Via Msdt.EXE
Detects execution of msdt.exe using the "cab" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190
status test author Nasreddine Bencherchali (Nextron Systems), GossiTheDog, frack113 id dc4576d4-7467-424f-9eee-fd2b02855fe0
view Sigma YAML 
title: Suspicious Cabinet File Execution Via Msdt.EXE
id: dc4576d4-7467-424f-9eee-fd2b02855fe0
related:
    - id: 6545ce61-a1bd-4119-b9be-fcbee42c0cf3
      type: obsolete
status: test
description: Detects execution of msdt.exe using the "cab" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190
references:
    - https://twitter.com/nas_bench/status/1537896324837781506
    - https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab
    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0
    - https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd
author: Nasreddine Bencherchali (Nextron Systems), GossiTheDog, frack113
date: 2022-06-21
modified: 2024-03-13
tags:
    - attack.stealth
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\msdt.exe'
        - OriginalFileName: 'msdt.exe'
    selection_cmd:
        CommandLine|contains|windash: ' -cab '
    condition: all of selection_*
falsepositives:
    - Legitimate usage of ".diagcab" files
level: medium
medium
Suspicious Runscripthelper.exe
Detects execution of powershell scripts via Runscripthelper.exe
status test author Victor Sergeev, oscd.community id eca49c87-8a75-4f13-9c73-a5a29e845f03
view Sigma YAML 
title: Suspicious Runscripthelper.exe
id: eca49c87-8a75-4f13-9c73-a5a29e845f03
status: test
description: Detects execution of powershell scripts via Runscripthelper.exe
references:
    - https://lolbas-project.github.io/lolbas/Binaries/Runscripthelper/
author: Victor Sergeev, oscd.community
date: 2020-10-09
modified: 2022-07-11
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\Runscripthelper.exe'
        CommandLine|contains: 'surfacecheck'
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
Suspicious ZipExec Execution
ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.
status test author frack113 id 90dcf730-1b71-4ae7-9ffc-6fcf62bd0132
view Sigma YAML 
title: Suspicious ZipExec Execution
id: 90dcf730-1b71-4ae7-9ffc-6fcf62bd0132
status: test
description: ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.
references:
    - https://twitter.com/SBousseaden/status/1451237393017839616
    - https://github.com/Tylous/ZipExec
author: frack113
date: 2021-11-07
modified: 2022-12-25
tags:
    - attack.execution
    - attack.stealth
    - attack.t1218
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    run:
        CommandLine|contains|all:
            - '/generic:Microsoft_Windows_Shell_ZipFolder:filename='
            - '.zip'
            - '/pass:'
            - '/user:'
    delete:
        CommandLine|contains|all:
            - '/delete'
            - 'Microsoft_Windows_Shell_ZipFolder:filename='
            - '.zip'
    condition: run or delete
falsepositives:
    - Unknown
level: medium
medium
Troubleshooting Pack Cmdlet Execution
Detects execution of "TroubleshootingPack" cmdlets to leverage CVE-2022-30190 or action similar to "msdt" lolbin (as described in LOLBAS)
status test author Nasreddine Bencherchali (Nextron Systems) id 03409c93-a7c7-49ba-9a4c-a00badf2a153
view Sigma YAML 
title: Troubleshooting Pack Cmdlet Execution
id: 03409c93-a7c7-49ba-9a4c-a00badf2a153
status: test
description: Detects execution of "TroubleshootingPack" cmdlets to leverage CVE-2022-30190 or action similar to "msdt" lolbin (as described in LOLBAS)
references:
    - https://twitter.com/nas_bench/status/1537919885031772161
    - https://lolbas-project.github.io/lolbas/Binaries/Msdt/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-21
tags:
    - attack.stealth
    - attack.t1202
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'Invoke-TroubleshootingPack'
            - 'C:\Windows\Diagnostics\System\PCW'
            - '-AnswerFile'
            - '-Unattended'
    condition: selection
falsepositives:
    - Legitimate usage of "TroubleshootingPack" cmdlet for troubleshooting purposes
level: medium
medium
Uncommon Child Process Of BgInfo.EXE
Detects uncommon child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
status test author Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community id aaf46cdc-934e-4284-b329-34aa701e3771
view Sigma YAML 
title: Uncommon Child Process Of BgInfo.EXE
id: aaf46cdc-934e-4284-b329-34aa701e3771
related:
    - id: 811f459f-9231-45d4-959a-0266c6311987
      type: similar
status: test
description: Detects uncommon child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
references:
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/
    - https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/
author: Nasreddine Bencherchali (Nextron Systems), Beyu Denis, oscd.community
date: 2019-10-26
modified: 2023-08-16
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.005
    - attack.t1218
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\bginfo.exe'
            - '\bginfo64.exe'
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
Uncommon Child Process Of Conhost.EXE
Detects uncommon "conhost" child processes. This could be a sign of "conhost" usage as a LOLBIN or potential process injection activity.
status test author omkar72 id 7dc2dedd-7603-461a-bc13-15803d132355
view Sigma YAML 
title: Uncommon Child Process Of Conhost.EXE
id: 7dc2dedd-7603-461a-bc13-15803d132355
related:
    - id: dfa03a09-8b92-4d83-8e74-f72839b1c407
      type: similar
status: test
description: Detects uncommon "conhost" child processes. This could be a sign of "conhost" usage as a LOLBIN or potential process injection activity.
references:
    - http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/
author: omkar72
date: 2020-10-25
modified: 2023-12-11
tags:
    - attack.stealth
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\conhost.exe'
    filter_main_conhost:
        Image|endswith: ':\Windows\System32\conhost.exe'
    filter_main_null:
        Image: null
    filter_main_empty:
        Image: ''
    filter_optional_provider:
        Provider_Name: 'SystemTraceProvider-Process'  # Race condition with SystemTrace doesn't provide all fields.
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium
medium
WSL Child Process Anomaly
Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL
status test author Nasreddine Bencherchali (Nextron Systems) id 2267fe65-0681-42ad-9a6d-46553d3f3480
view Sigma YAML 
title: WSL Child Process Anomaly
id: 2267fe65-0681-42ad-9a6d-46553d3f3480
related:
    - id: dec44ca7-61ad-493c-bfd7-8819c5faa09b # LOLBIN Rule
      type: derived
status: test
description: Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL
references:
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/
    - https://twitter.com/nas_bench/status/1535431474429808642
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-23
modified: 2023-08-15
tags:
    - attack.execution
    - attack.stealth
    - attack.t1218
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith:
            - '\wsl.exe'
            - '\wslhost.exe'
    selection_children_images:
        Image|endswith:
            # Add more suspicious/uncommon "lolbin" processes
            - '\calc.exe'
            - '\cmd.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\wscript.exe'
    selection_children_paths:
        Image|contains:
            - '\AppData\Local\Temp\'
            - 'C:\Users\Public\'
            - 'C:\Windows\Temp\'
            - 'C:\Temp\'
            - '\Downloads\'
            - '\Desktop\'
    condition: selection_parent and 1 of selection_children_*
falsepositives:
    - Unknown
level: medium
medium
Windows Binary Executed From WSL
Detects the execution of Windows binaries from within a WSL instance. This could be used to masquerade parent-child relationships
status test author Nasreddine Bencherchali (Nextron Systems) id ed825c86-c009-4014-b413-b76003e33d35
view Sigma YAML 
title: Windows Binary Executed From WSL
id: ed825c86-c009-4014-b413-b76003e33d35
status: test
description: |
    Detects the execution of Windows binaries from within a WSL instance.
    This could be used to masquerade parent-child relationships
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-14
tags:
    - attack.execution
    - attack.stealth
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|re: '[a-zA-Z]:\\'
        CurrentDirectory|contains: '\\\\wsl.localhost' # Note: programs not supporting UNC paths (example: cmd.exe). Will default to another location
    condition: selection
falsepositives:
    - Unknown
level: medium
informational
Suspicious High IntegrityLevel Conhost Legacy Option
ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context.
status test author frack113 id 3037d961-21e9-4732-b27a-637bcc7bf539
view Sigma YAML 
title: Suspicious High IntegrityLevel Conhost Legacy Option
id: 3037d961-21e9-4732-b27a-637bcc7bf539
status: test
description: ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context.
references:
    - https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29
    - https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
    - https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control
author: frack113
date: 2022-12-09
modified: 2024-12-01
tags:
    - attack.stealth
    - attack.t1202
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        IntegrityLevel:
            - 'High'
            - 'S-1-16-12288'
        CommandLine|contains|all:
            - 'conhost.exe'
            - '0xffffffff'
            - '-ForceV1'
    condition: selection
falsepositives:
    - Very Likely, including launching cmd.exe via Run As Administrator
level: informational
Showing 1-39 of 39
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin