Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Detects the process injection of a LittleCorporal generated Maldoc.
status testauthor Christian Burkard (Nextron Systems)id 7bdde3bf-2a42-4c39-aa31-a92b3e17afac
view Sigma YAML
title: HackTool - LittleCorporal Generated Maldoc Injection
id: 7bdde3bf-2a42-4c39-aa31-a92b3e17afac
status: test
description: Detects the process injection of a LittleCorporal generated Maldoc.
references:
- https://github.com/connormcgarr/LittleCorporal
author: Christian Burkard (Nextron Systems)
date: 2021-08-09
modified: 2023-11-28
tags:
- attack.execution
- attack.privilege-escalation
- attack.stealth
- attack.t1204.002
- attack.t1055.003
logsource:
category: process_access
product: windows
detection:
selection:
SourceImage|endswith: '\winword.exe'
CallTrace|contains|all:
- ':\Windows\Microsoft.NET\Framework64\v2.'
- 'UNKNOWN'
condition: selection
falsepositives:
- Unknown
level: high
high
MMC Executing Files with Reversed Extensions Using RTLO Abuse
Detects malicious behavior where the MMC utility (`mmc.exe`) executes files with reversed extensions caused by Right-to-Left Override (RLO) abuse, disguising them as document formats.
status experimentalauthor Swachchhanda Shrawan Poudel (Nextron Systems)id 9cfe4b27-1e56-48b4-b7a8-d46851c91a44
view Sigma YAML
title: MMC Executing Files with Reversed Extensions Using RTLO Abuse
id: 9cfe4b27-1e56-48b4-b7a8-d46851c91a44
status: experimental
description: Detects malicious behavior where the MMC utility (`mmc.exe`) executes files with reversed extensions caused by Right-to-Left Override (RLO) abuse, disguising them as document formats.
references:
- https://www.unicode.org/versions/Unicode5.2.0/ch02.pdf
- https://en.wikipedia.org/wiki/Right-to-left_override
- https://tria.ge/241015-l98snsyeje/behavioral2
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-02-05
tags:
- attack.execution
- attack.stealth
- attack.t1204.002
- attack.t1218.014
- attack.t1036.002
logsource:
category: process_creation
product: windows
detection:
selection_image:
- Image|endswith: '\mmc.exe'
- OriginalFileName: 'MMC.exe'
selection_commandline:
CommandLine|contains: # While looking at these files the prefix of their name will look something like csm.pdf, but in reality it is msc file
- 'cod.msc' # Reversed `.doc`
- 'fdp.msc' # Reversed `.pdf`
- 'ftr.msc' # Reversed `.rtf`
- 'lmth.msc' # Reversed `.html`
- 'slx.msc' # Reversed `.xls`
- 'tdo.msc' # Reversed `.odt`
- 'xcod.msc' # Reversed `.docx`
- 'xslx.msc' # Reversed `.xlsx`
- 'xtpp.msc' # Reversed `.pptx`
condition: all of selection_*
falsepositives:
- Legitimate administrative actions using MMC to execute misnamed `.msc` files.
- Unconventional but non-malicious usage of RLO or reversed extensions.
level: high
high
Suspicious Binary In User Directory Spawned From Office Application
Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)
status testauthor Jason Lynchid aa3a6f94-890e-4e22-b634-ffdfd54792cc
view Sigma YAML
title: Suspicious Binary In User Directory Spawned From Office Application
id: aa3a6f94-890e-4e22-b634-ffdfd54792cc
status: test
description: Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)
references:
- https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign
- https://www.virustotal.com/gui/file/23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57
author: Jason Lynch
date: 2019-04-02
modified: 2023-02-04
tags:
- attack.execution
- attack.t1204.002
- attack.g0046
- car.2013-05-002
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\WINWORD.EXE'
- '\EXCEL.EXE'
- '\POWERPNT.exe'
- '\MSPUB.exe'
- '\VISIO.exe'
- '\MSACCESS.exe'
- '\EQNEDT32.exe'
# - '\OUTLOOK.EXE' too many FPs
Image|startswith: 'C:\users\'
Image|endswith: '.exe'
filter:
Image|endswith: '\Teams.exe'
condition: selection and not filter
falsepositives:
- Unknown
level: high
high
Suspicious LNK Command-Line Padding with Whitespace Characters
Detects exploitation of LNK file command-line length discrepancy, where attackers hide malicious commands beyond the 260-character UI limit while the actual command-line argument field supports 4096 characters using whitespace padding (e.g., 0x20, 0x09-0x0D).
Adversaries insert non-printable whitespace characters (e.g., Line Feed \x0A, Carriage Return \x0D) to pad the visible section of the LNK file, pushing malicious commands past the UI-visible boundary.
The hidden payload, executed at runtime but invisible in Windows Explorer properties, enables stealthy execution and evasion—commonly used for social engineering attacks.
This rule flags suspicious use of such padding observed in real-world attacks.
status experimentalauthor Swachchhanda Shrawan Poudel (Nextron Systems)id dd8756e7-a3a0-4768-b47e-8f545d1a751c
view Sigma YAML
title: Suspicious LNK Command-Line Padding with Whitespace Characters
id: dd8756e7-a3a0-4768-b47e-8f545d1a751c
status: experimental
description: |
Detects exploitation of LNK file command-line length discrepancy, where attackers hide malicious commands beyond the 260-character UI limit while the actual command-line argument field supports 4096 characters using whitespace padding (e.g., 0x20, 0x09-0x0D).
Adversaries insert non-printable whitespace characters (e.g., Line Feed \x0A, Carriage Return \x0D) to pad the visible section of the LNK file, pushing malicious commands past the UI-visible boundary.
The hidden payload, executed at runtime but invisible in Windows Explorer properties, enables stealthy execution and evasion—commonly used for social engineering attacks.
This rule flags suspicious use of such padding observed in real-world attacks.
references:
- https://syedhasan010.medium.com/forensics-analysis-of-an-lnk-file-da68a98b8415
- https://thehackernews.com/2025/03/unpatched-windows-zero-day-flaw.html
- https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-03-19
tags:
- attack.initial-access
- attack.execution
- attack.t1204.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- ParentImage|endswith: '\explorer.exe'
- ParentCommandLine|contains: '.lnk'
selection_cmd:
- CommandLine|contains:
- ' ' # Padding of SPACE (0x20)
# - ' ' # Horizontal Tab (0x9)
- '\u0009'
- '\u000A' # Line Feed
- '\u0011'
- '\u0012'
- '\u0013'
- '\u000B' # Vertical Tab
- '\u000C' # \x0C
- '\u000D' # \x0D
- CommandLine|re: '\n\n\n\n\n\n' # In some cases \u000[ABCD] are represented as a newline in the eventlog
condition: all of selection_*
falsepositives:
- Unknown
level: high
high
Suspicious Microsoft Office Child Process
Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)
status testauthor Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_ioid 438025f9-5856-4663-83f7-52f878a70a50
Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution
status testauthor Sohan G (D4rkCiph3r)id 69483748-1525-4a6c-95ca-90dc8d431b68
view Sigma YAML
title: Suspicious Microsoft Office Child Process - MacOS
id: 69483748-1525-4a6c-95ca-90dc8d431b68
status: test
description: Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution
references:
- https://redcanary.com/blog/applescript/
- https://objective-see.org/blog/blog_0x4B.html
author: Sohan G (D4rkCiph3r)
date: 2023-01-31
modified: 2023-02-04
tags:
- attack.execution
- attack.persistence
- attack.t1059.002
- attack.t1137.002
- attack.t1204.002
logsource:
product: macos
category: process_creation
detection:
selection:
ParentImage|contains:
- 'Microsoft Word'
- 'Microsoft Excel'
- 'Microsoft PowerPoint'
- 'Microsoft OneNote'
Image|endswith:
- '/bash'
- '/curl'
- '/dash'
- '/fish'
- '/osacompile'
- '/osascript'
- '/sh'
- '/zsh'
- '/python'
- '/python3'
- '/wget'
condition: selection
falsepositives:
- Unknown
level: high
high
Suspicious Outlook Child Process
Detects a suspicious process spawning from an Outlook process.
status testauthor Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Teamid 208748f7-881d-47ac-a29c-07ea84bf691d
view Sigma YAML
title: Suspicious Outlook Child Process
id: 208748f7-881d-47ac-a29c-07ea84bf691d
related:
- id: 438025f9-5856-4663-83f7-52f878a70a50 # Office Child Processes
type: derived
- id: e212d415-0e93-435f-9e1a-f29005bb4723 # Outlook Remote Child Process
type: derived
status: test
description: Detects a suspicious process spawning from an Outlook process.
references:
- https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100
- https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
author: Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team
date: 2022-02-28
modified: 2023-02-04
tags:
- attack.execution
- attack.t1204.002
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\OUTLOOK.EXE'
Image|endswith:
- '\AppVLP.exe'
- '\bash.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\forfiles.exe'
- '\hh.exe'
- '\mftrace.exe'
- '\msbuild.exe' # https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
- '\msdt.exe' # CVE-2022-30190
- '\mshta.exe'
- '\msiexec.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\schtasks.exe'
- '\scrcons.exe'
- '\scriptrunner.exe'
- '\sh.exe'
- '\svchost.exe' # https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html
- '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
- '\wscript.exe'
# Several FPs with rundll32.exe
# We started excluding specific use cases and ended up commenting out the rundll32.exe sub processes completely
# - '\rundll32.exe'
# filter_outlook_photoviewer: # https://twitter.com/Luke_Hamp/status/1495919717760237568
# ParentImage|endswith: '\OUTLOOK.EXE'
# Image|endswith: '\rundll32.exe'
# CommandLine|contains: '\PhotoViewer.dll'
# filter_outlook_printattachments: # https://twitter.com/KickaKamil/status/1496238278659485696
# ParentImage|endswith: '\OUTLOOK.EXE'
# Image|endswith: '\rundll32.exe'
# CommandLine|contains|all:
# - 'shell32.dll,Control_RunDLL'
# - '\SYSTEM32\SPOOL\DRIVERS\'
condition: selection # and not 1 of filter*
falsepositives:
- Unknown
level: high
high
Suspicious Startup Folder Persistence
Detects the creation of potentially malicious script and executable files in Windows startup folders, which is a common persistence technique used by threat actors.
These files (.ps1, .vbs, .js, .bat, etc.) are automatically executed when a user logs in, making the Startup folder an attractive target for attackers.
This technique is frequently observed in malvertising campaigns and malware distribution where attackers attempt to maintain long-term access to compromised systems.
title: Suspicious Startup Folder Persistence
id: 28208707-fe31-437f-9a7f-4b1108b94d2e
related:
- id: 2aa0a6b4-a865-495b-ab51-c28249537b75
type: similar
status: test
description: |
Detects the creation of potentially malicious script and executable files in Windows startup folders, which is a common persistence technique used by threat actors.
These files (.ps1, .vbs, .js, .bat, etc.) are automatically executed when a user logs in, making the Startup folder an attractive target for attackers.
This technique is frequently observed in malvertising campaigns and malware distribution where attackers attempt to maintain long-term access to compromised systems.
references:
- https://github.com/last-byte/PersistenceSniper
- https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/
- https://github.com/redcanaryco/atomic-red-team/blob/5ede8f21e42ebe37e0a6eff757dba60bcfa85859/atomics/T1547.001/T1547.001.md
author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2022-08-10
modified: 2025-10-12
tags:
- attack.privilege-escalation
- attack.execution
- attack.t1204.002
- attack.persistence
- attack.t1547.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|contains: '\Windows\Start Menu\Programs\Startup\'
TargetFilename|endswith:
# Add or remove suspicious extensions according to your env needs
- '.bat'
- '.cmd'
- '.dll'
- '.hta'
- '.jar'
- '.js'
- '.jse'
- '.msi'
- '.ps1'
- '.psd1'
- '.psm1'
- '.scr'
- '.url'
- '.vba'
- '.vbe'
- '.vbs'
- '.wsf'
condition: selection
falsepositives:
- Rare legitimate usage of some of the extensions mentioned in the rule
level: high
high
Suspicious WMIC Execution Via Office Process
Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).
status testauthor Vadim Khrykov, Cyb3rEngid e1693bc8-7168-4eab-8718-cdcaa68a1738
view Sigma YAML
title: Suspicious WMIC Execution Via Office Process
id: e1693bc8-7168-4eab-8718-cdcaa68a1738
related:
- id: 438025f9-5856-4663-83f7-52f878a70a50
type: derived
- id: 518643ba-7d9c-4fa5-9f37-baed36059f6a
type: obsolete
- id: 9d1c72f5-43f0-4da5-9320-648cf2099dd0
type: obsolete
- id: c0e1c3d5-4381-4f18-8145-2583f06a1fe5
type: obsolete
- id: 04f5363a-6bca-42ff-be70-0d28bf629ead
type: obsolete
status: test
description: Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
author: Vadim Khrykov, Cyb3rEng
date: 2021-08-23
modified: 2023-02-14
tags:
- attack.stealth
- attack.t1204.002
- attack.t1047
- attack.t1218.010
- attack.execution
logsource:
product: windows
category: process_creation
detection:
selection_parent:
ParentImage|endswith:
- '\WINWORD.EXE'
- '\EXCEL.EXE'
- '\POWERPNT.exe'
- '\MSPUB.exe'
- '\VISIO.exe'
- '\MSACCESS.EXE'
- '\EQNEDT32.EXE'
- '\ONENOTE.EXE'
- '\wordpad.exe'
- '\wordview.exe'
selection_wmic_img:
- Image|endswith: '\wbem\WMIC.exe'
- OriginalFileName: 'wmic.exe'
selection_wmic_cli:
CommandLine|contains|all:
- 'process'
- 'create'
- 'call'
CommandLine|contains:
# Add more suspicious LOLBINs as you see fit
- 'regsvr32'
- 'rundll32'
- 'msiexec'
- 'mshta'
- 'verclsid'
- 'wscript'
- 'cscript'
condition: all of selection_*
falsepositives:
- Unknown
level: high
high
Suspicious WmiPrvSE Child Process
Detects suspicious and uncommon child processes of WmiPrvSE
title: Suspicious WmiPrvSE Child Process
id: 8a582fe2-0882-4b89-a82a-da6b2dc32937
related:
- id: 692f0bec-83ba-4d04-af7e-e884a96059b6
type: similar
- id: d21374ff-f574-44a7-9998-4a8c8bf33d7d
type: similar
- id: 18cf6cf0-39b0-4c22-9593-e244bdc9a2d4
type: obsolete
status: test
description: Detects suspicious and uncommon child processes of WmiPrvSE
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml
- https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/
- https://twitter.com/ForensicITGuy/status/1334734244120309760
author: Vadim Khrykov (ThreatIntel), Cyb3rEng, Florian Roth (Nextron Systems)
date: 2021-08-23
modified: 2023-11-10
tags:
- attack.execution
- attack.stealth
- attack.t1047
- attack.t1204.002
- attack.t1218.010
logsource:
product: windows
category: process_creation
detection:
selection_parent:
ParentImage|endswith: '\wbem\WmiPrvSE.exe'
selection_children_1:
# TODO: Add more LOLBINs or suspicious processes that make sens in your environment
Image|endswith:
- '\certutil.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\msiexec.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\verclsid.exe'
- '\wscript.exe'
selection_children_2:
# This is in a separate selection due to the nature of FP generated with CMD
Image|endswith: '\cmd.exe'
CommandLine|contains:
- 'cscript'
- 'mshta'
- 'powershell'
- 'pwsh'
- 'regsvr32'
- 'rundll32'
- 'wscript'
filter_main_werfault:
Image|endswith: '\WerFault.exe'
filter_main_wmiprvse:
Image|endswith: '\WmiPrvSE.exe' # In some legitimate case WmiPrvSE was seen spawning itself
filter_main_msiexec:
Image|endswith: '\msiexec.exe'
CommandLine|contains: '/i '
condition: selection_parent and 1 of selection_children_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
high
VBA DLL Loaded Via Office Application
Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.
status testauthor Antonlovesdnbid e6ce8457-68b1-485b-9bdd-3c2b5d679aa9
view Sigma YAML
title: VBA DLL Loaded Via Office Application
id: e6ce8457-68b1-485b-9bdd-3c2b5d679aa9
status: test
description: Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.
references:
- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: Antonlovesdnb
date: 2020-02-19
modified: 2023-02-10
tags:
- attack.execution
- attack.t1204.002
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith:
- '\excel.exe'
- '\mspub.exe'
- '\onenote.exe'
- '\onenoteim.exe' # Just in case
- '\outlook.exe'
- '\powerpnt.exe'
- '\winword.exe'
ImageLoaded|endswith:
- '\VBE7.DLL'
- '\VBEUI.DLL'
- '\VBE7INTL.DLL'
condition: selection
falsepositives:
- Legitimate macro usage. Add the appropriate filter according to your environment
level: high
medium
AppLocker Prevented Application or Script from Running
Detects when AppLocker prevents the execution of an Application, DLL, Script, MSI, or Packaged-App from running.
status testauthor Pushkarev Dmitryid 401e5d00-b944-11ea-8f9a-00163ecd60ae
view Sigma YAML
title: AppLocker Prevented Application or Script from Running
id: 401e5d00-b944-11ea-8f9a-00163ecd60ae
status: test
description: |
Detects when AppLocker prevents the execution of an Application, DLL, Script, MSI, or Packaged-App from running.
references:
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/what-is-applocker
- https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/applocker/using-event-viewer-with-applocker
- https://nxlog.co/documentation/nxlog-user-guide/applocker.html
author: Pushkarev Dmitry
date: 2020-06-28
modified: 2025-12-03
tags:
- attack.execution
- attack.t1204.002
- attack.t1059.001
- attack.t1059.003
- attack.t1059.005
- attack.t1059.006
- attack.t1059.007
logsource:
product: windows
service: applocker
detection:
selection:
EventID:
- 8004 # EXE and DLL
- 8007 # MSI and Script
- 8022 # Packaged app execution
- 8025 # Packaged app deployment
condition: selection
falsepositives:
- Unlikely, since this event notifies about blocked application execution. Tune your applocker rules to avoid blocking legitimate applications.
level: medium
medium
CLR DLL Loaded Via Office Applications
Detects CLR DLL being loaded by an Office Product
status testauthor Antonlovesdnbid d13c43f0-f66b-4279-8b2c-5912077c1780
view Sigma YAML
title: CLR DLL Loaded Via Office Applications
id: d13c43f0-f66b-4279-8b2c-5912077c1780
status: test
description: Detects CLR DLL being loaded by an Office Product
references:
- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: Antonlovesdnb
date: 2020-02-19
modified: 2023-03-29
tags:
- attack.execution
- attack.t1204.002
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith:
- '\excel.exe'
- '\mspub.exe'
- '\outlook.exe'
- '\onenote.exe'
- '\onenoteim.exe' # Just in case
- '\powerpnt.exe'
- '\winword.exe'
ImageLoaded|contains: '\clr.dll'
condition: selection
falsepositives:
- Unknown
level: medium
medium
DotNET Assembly DLL Loaded Via Office Application
Detects any assembly DLL being loaded by an Office Product
status testauthor Antonlovesdnbid ff0f2b05-09db-4095-b96d-1b75ca24894a
view Sigma YAML
title: DotNET Assembly DLL Loaded Via Office Application
id: ff0f2b05-09db-4095-b96d-1b75ca24894a
status: test
description: Detects any assembly DLL being loaded by an Office Product
references:
- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: Antonlovesdnb
date: 2020-02-19
modified: 2023-03-29
tags:
- attack.execution
- attack.t1204.002
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith:
- '\excel.exe'
- '\mspub.exe'
- '\onenote.exe'
- '\onenoteim.exe' # Just in case
- '\outlook.exe'
- '\powerpnt.exe'
- '\winword.exe'
ImageLoaded|startswith: 'C:\Windows\assembly\'
condition: selection
falsepositives:
- Unknown
level: medium
medium
Microsoft Excel Add-In Loaded From Uncommon Location
Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location
status testauthor Nasreddine Bencherchali (Nextron Systems)id af4c4609-5755-42fe-8075-4effb49f5d44
view Sigma YAML
title: Microsoft Excel Add-In Loaded From Uncommon Location
id: af4c4609-5755-42fe-8075-4effb49f5d44
related:
- id: c5f4b5cb-4c25-4249-ba91-aa03626e3185
type: derived
status: test
description: Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location
references:
- https://www.mandiant.com/resources/blog/lnk-between-browsers
- https://wazuh.com/blog/detecting-xll-files-used-for-dropping-fin7-jssloader-with-wazuh/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-12
tags:
- attack.execution
- attack.t1204.002
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\excel.exe'
ImageLoaded|contains:
# Note: Add or remove locations from this list based on your internal policy
- '\Desktop\'
- '\Downloads\'
- '\Perflogs\'
- '\Temp\'
- '\Users\Public\'
- '\Windows\Tasks\'
ImageLoaded|endswith: '.xll'
condition: selection
falsepositives:
- Some tuning might be required to allow or remove certain locations used by the rule if you consider them as safe locations
level: medium
medium
Microsoft VBA For Outlook Addin Loaded Via Outlook
Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process
status testauthor Nasreddine Bencherchali (Nextron Systems)id 9a0b8719-cd3c-4f0a-90de-765a4cb3f5ed
view Sigma YAML
title: Microsoft VBA For Outlook Addin Loaded Via Outlook
id: 9a0b8719-cd3c-4f0a-90de-765a4cb3f5ed
status: test
description: Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process
references:
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=58
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-08
modified: 2024-03-12
tags:
- attack.execution
- attack.t1204.002
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\outlook.exe'
ImageLoaded|endswith: '\outlvba.dll'
condition: selection
falsepositives:
- Legitimate macro usage. Add the appropriate filter according to your environment
level: medium
medium
Potential Suspicious Browser Launch From Document Reader Process
Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this could indicate a possible phishing attempt.
status testauthor Joseph Kamauid 1193d960-2369-499f-a158-7b50a31df682
view Sigma YAML
title: Potential Suspicious Browser Launch From Document Reader Process
id: 1193d960-2369-499f-a158-7b50a31df682
status: test
description: |
Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this could indicate a possible phishing attempt.
references:
- https://app.any.run/tasks/69c5abaa-92ad-45ba-8c53-c11e23e05d04/ # PDF Document
- https://app.any.run/tasks/64043a79-165f-4052-bcba-e6e49f847ec1/ # Office Document
author: Joseph Kamau
date: 2024-05-27
modified: 2025-10-07
tags:
- attack.execution
- attack.t1204.002
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|contains:
- 'Acrobat Reader'
- 'Microsoft Office'
- 'PDF Reader'
Image|endswith:
- '\brave.exe'
- '\chrome.exe'
- '\firefox.exe'
- '\msedge.exe'
- '\opera.exe'
- '\maxthon.exe'
- '\seamonkey.exe'
- '\vivaldi.exe'
CommandLine|contains: 'http'
filter_main_microsoft_help:
CommandLine|contains: 'https://go.microsoft.com/fwlink/'
filter_optional_foxit:
CommandLine|contains:
- 'http://ad.foxitsoftware.com/adlog.php?'
- 'https://globe-map.foxitservice.com/go.php?do=redirect'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unlikely in most cases, further investigation should be done in the commandline of the browser process to determine the context of the URL accessed.
level: medium
medium
Remote DLL Load Via Rundll32.EXE
Detects a remote DLL load event via "rundll32.exe".
status testauthor Nasreddine Bencherchali (Nextron Systems)id f40017b3-cb2e-4335-ab5d-3babf679c1de
view Sigma YAML
title: Remote DLL Load Via Rundll32.EXE
id: f40017b3-cb2e-4335-ab5d-3babf679c1de
status: test
description: Detects a remote DLL load event via "rundll32.exe".
references:
- https://github.com/gabe-k/themebleed
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-18
tags:
- attack.execution
- attack.t1204.002
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\rundll32.exe'
ImageLoaded|startswith: '\\\\'
condition: selection
falsepositives:
- Unknown
level: medium
medium
Windows AppX Deployment Full Trust Package Installation
Detects the installation of MSIX/AppX packages with full trust privileges which run with elevated privileges outside normal AppX container restrictions
status experimentalauthor Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems)id e54279c7-4910-4e2c-902c-c56a25b549f6
view Sigma YAML
title: Windows AppX Deployment Full Trust Package Installation
id: e54279c7-4910-4e2c-902c-c56a25b549f6
status: experimental
description: Detects the installation of MSIX/AppX packages with full trust privileges which run with elevated privileges outside normal AppX container restrictions
references:
- https://www.splunk.com/en_us/blog/security/msix-weaponization-threat-detection-splunk.html
author: Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-03
tags:
- attack.execution
- attack.defense-impairment
- attack.t1204.002
- attack.t1553.005
logsource:
product: windows
service: appxdeployment-server
detection:
selection:
EventID: 400
HasFullTrust: true
filter_main_legitpath:
PackageSourceUri|startswith:
- 'file:///C:/Program%20Files/'
- 'file:///C:/Program%20Files%20(x86)/'
filter_main_microsoft:
- PackageSourceUri|startswith: 'https://go.microsoft.com/fwlink/?linkid'
- PackageSourceUri|contains:
- '.cdn.microsoft.com'
- '.cdn.office.net/'
filter_main_callerprocess:
CallingProcess|startswith:
- 'sysprep.exe'
- 'svchost.exe,AppReadiness'
filter_optional_x_update:
PackageSourceUri|startswith: 'x-windowsupdate://'
filter_optional_microsoftclient:
PackageFullName|startswith: 'MicrosoftWindows.Client.'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Some legitimate applications installation which have been missed from filtering can generate fps, thus baselining and tuning is recommended before deploying to production
level: medium
medium
Windows AppX Deployment Unsigned Package Installation
Detects attempts to install unsigned MSIX/AppX packages using the -AllowUnsigned parameter via AppXDeployment-Server events
status experimentalauthor Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems)id 9a025188-6f2d-42f8-bb2f-d3a83d24a5af
view Sigma YAML
title: Windows AppX Deployment Unsigned Package Installation
id: 9a025188-6f2d-42f8-bb2f-d3a83d24a5af
related:
- id: 37651c2a-42cd-4a69-ae0d-22a4349aa04a
type: similar
- id: 975b2262-9a49-439d-92a6-0709cccdf0b2
type: similar
status: experimental
description: Detects attempts to install unsigned MSIX/AppX packages using the -AllowUnsigned parameter via AppXDeployment-Server events
references:
- https://docs.microsoft.com/en-us/powershell/module/appx/add-appxpackage
- https://www.splunk.com/en_us/blog/security/msix-weaponization-threat-detection-splunk.html
author: Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-03
tags:
- attack.execution
- attack.defense-impairment
- attack.t1204.002
- attack.t1553.005
logsource:
product: windows
service: appxdeployment-server
detection:
selection:
EventID: 603
Flags: '8388608'
condition: selection
falsepositives:
- Legitimate installation of unsigned packages for legitimate purposes such as development or testing
level: medium
low
Download From Suspicious TLD - Blacklist
Detects download of certain file types from hosts in suspicious TLDs
status testauthor Florian Roth (Nextron Systems)id 00d0b5ab-1f55-4120-8e83-487c0a7baf19
Detects executable downloads from suspicious remote systems
status testauthor Florian Roth (Nextron Systems)id b5de2919-b74a-4805-91a7-5049accbaefe
view Sigma YAML
title: Download From Suspicious TLD - Whitelist
id: b5de2919-b74a-4805-91a7-5049accbaefe
related:
- id: 00d0b5ab-1f55-4120-8e83-487c0a7baf19
type: similar
status: test
description: Detects executable downloads from suspicious remote systems
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2017-03-13
modified: 2023-05-18
tags:
- attack.initial-access
- attack.t1566
- attack.execution
- attack.t1203
- attack.t1204.002
logsource:
category: proxy
detection:
selection:
c-uri-extension:
- 'exe'
- 'vbs'
- 'bat'
- 'rar'
- 'ps1'
- 'doc'
- 'docm'
- 'xls'
- 'xlsm'
- 'pptm'
- 'rtf'
- 'hta'
- 'dll'
- 'ws'
- 'wsf'
- 'sct'
- 'zip'
# If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
filter:
cs-host|endswith:
- '.com'
- '.org'
- '.net'
- '.edu'
- '.gov'
- '.uk'
- '.ca'
- '.de'
- '.jp'
- '.fr'
- '.au'
- '.us'
- '.ch'
- '.it'
- '.nl'
- '.se'
- '.no'
- '.es'
# Extend this list as needed
condition: selection and not filter
falsepositives:
- All kind of software downloads
level: low
low
Windows MSIX Package Support Framework AI_STUBS Execution
Detects execution of Advanced Installer MSIX Package Support Framework (PSF) components, specifically AI_STUBS executables with original filename 'popupwrapper.exe'.
This activity may indicate malicious MSIX packages build with Advanced Installer leveraging the Package Support Framework to bypass application control restrictions.
status experimentalauthor Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems)id af5732ed-764e-489d-826d-0447c8b36242
view Sigma YAML
title: Windows MSIX Package Support Framework AI_STUBS Execution
id: af5732ed-764e-489d-826d-0447c8b36242
status: experimental
description: |
Detects execution of Advanced Installer MSIX Package Support Framework (PSF) components, specifically AI_STUBS executables with original filename 'popupwrapper.exe'.
This activity may indicate malicious MSIX packages build with Advanced Installer leveraging the Package Support Framework to bypass application control restrictions.
references:
- https://redcanary.com/blog/threat-intelligence/msix-installers/
- https://redcanary.com/threat-detection-report/techniques/installer-packages/
- https://learn.microsoft.com/en-us/windows/msix/package/package-support-framework
- https://www.splunk.com/en_us/blog/security/msix-weaponization-threat-detection-splunk.html
author: Michael Haag, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-03
tags:
- attack.execution
- attack.stealth
- attack.defense-impairment
- attack.t1218
- attack.t1553.005
- attack.t1204.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\AI_STUBS\AiStubX64Elevated.exe'
- '\AI_STUBS\AiStubX86Elevated.exe'
- '\AI_STUBS\AiStubX64.exe'
- '\AI_STUBS\AiStubX86.exe'
OriginalFileName: 'popupwrapper.exe'
condition: selection
falsepositives:
- Legitimate applications packaged with Advanced Installer using Package Support Framework
level: low
informational
New Application in AppCompat
A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.
status testauthor Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)id 60936b49-fca0-4f32-993d-7415edcf9a5d
view Sigma YAML
title: New Application in AppCompat
id: 60936b49-fca0-4f32-993d-7415edcf9a5d
status: test
description: A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/1
- https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.md
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-05-02
modified: 2023-08-17
tags:
- attack.execution
- attack.t1204.002
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains: '\AppCompatFlags\Compatibility Assistant\Store\'
condition: selection
falsepositives:
- This rule is to explore new applications on an endpoint. False positives depends on the organization.
- Newly setup system.
- Legitimate installation of new application.
level: informational