Home/Sigma rules
Sigma

Sigma detection rules

15 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

15 shown of 15
high
Potential Manage-bde.wsf Abuse To Proxy Execution
Detects potential abuse of the "manage-bde.wsf" script as a LOLBIN to proxy execution
status test author oscd.community, Natalia Shornikova, Nasreddine Bencherchali (Nextron Systems) id c363385c-f75d-4753-a108-c1a8e28bdbda
view Sigma YAML 
title: Potential Manage-bde.wsf Abuse To Proxy Execution
id: c363385c-f75d-4753-a108-c1a8e28bdbda
status: test
description: Detects potential abuse of the "manage-bde.wsf" script as a LOLBIN to proxy execution
references:
    - https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/
    - https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712
    - https://twitter.com/bohops/status/980659399495741441
    - https://twitter.com/JohnLaTwC/status/1223292479270600706
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md
author: oscd.community, Natalia Shornikova, Nasreddine Bencherchali (Nextron Systems)
date: 2020-10-13
modified: 2023-02-03
tags:
    - attack.stealth
    - attack.t1216
logsource:
    category: process_creation
    product: windows
detection:
    selection_wscript_img:
        - Image|endswith: '\wscript.exe'
        - OriginalFileName: 'wscript.exe'
    selection_wscript_cli:
        CommandLine|contains: 'manage-bde.wsf'
    selection_parent:
        ParentImage|endswith:
            - '\cscript.exe'
            - '\wscript.exe'
        ParentCommandLine|contains: 'manage-bde.wsf'
    selection_filter_cmd:
        Image|endswith: '\cmd.exe'
    condition: all of selection_wscript_* or (selection_parent and not selection_filter_cmd)
falsepositives:
    - Unlikely
level: high
high
Suspicious CustomShellHost Execution
Detects the execution of CustomShellHost.exe where the child isn't located in 'C:\Windows\explorer.exe'. CustomShellHost is a known LOLBin that can be abused by attackers for defense evasion techniques.
status test author Nasreddine Bencherchali (Nextron Systems) id 84b14121-9d14-416e-800b-f3b829c5a14d
view Sigma YAML 
title: Suspicious CustomShellHost Execution
id: 84b14121-9d14-416e-800b-f3b829c5a14d
status: test
description: |
    Detects the execution of CustomShellHost.exe where the child isn't located in 'C:\Windows\explorer.exe'. CustomShellHost is a known LOLBin that can be abused by attackers for defense evasion techniques.
references:
    - https://github.com/LOLBAS-Project/LOLBAS/pull/180
    - https://lolbas-project.github.io/lolbas/Binaries/CustomShellHost/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-19
modified: 2025-10-29
tags:
    - attack.stealth
    - attack.t1216
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\CustomShellHost.exe'
    filter_main_explorer:
        Image: 'C:\Windows\explorer.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - False positives are unlikely, investigate matches carefully.
level: high
medium
AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)
status test author Julia Fomina, oscd.community id 074e0ded-6ced-4ebd-8b4d-53f55908119d
view Sigma YAML 
title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
id: 074e0ded-6ced-4ebd-8b4d-53f55908119d
status: test
description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)
references:
    - https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404
author: Julia Fomina, oscd.community
date: 2020-10-06
modified: 2022-10-09
tags:
    - attack.stealth
    - attack.t1216
logsource:
    category: process_creation
    product: windows
detection:
    contains_format_pretty_arg:
        CommandLine|contains:
            - 'format:pretty'
            - 'format:"pretty"'
            - 'format:"text"'
            - 'format:text'
    image_from_system_folder:
        Image|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
    contains_winrm:
        CommandLine|contains: 'winrm'
    condition: contains_winrm and (contains_format_pretty_arg and not image_from_system_folder)
falsepositives:
    - Unlikely
level: medium
medium
AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File
Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)
status test author Julia Fomina, oscd.community id d353dac0-1b41-46c2-820c-d7d2561fc6ed
view Sigma YAML 
title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File
id: d353dac0-1b41-46c2-820c-d7d2561fc6ed
related:
    - id: 074e0ded-6ced-4ebd-8b4d-53f55908119d
      type: derived
status: test
description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)
references:
    - https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404
author: Julia Fomina, oscd.community
date: 2020-10-06
modified: 2022-11-28
tags:
    - attack.stealth
    - attack.t1216
logsource:
    product: windows
    category: file_event
detection:
    system_files:
        TargetFilename|endswith:
            - 'WsmPty.xsl'
            - 'WsmTxt.xsl'
    in_system_folder:
        TargetFilename|startswith:
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
    condition: system_files and not in_system_folder
falsepositives:
    - Unlikely
level: medium
medium
Assembly Loading Via CL_LoadAssembly.ps1
Detects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that are part of the "CL_LoadAssembly.ps1" script. This can be abused to load different assemblies and bypass App locker controls.
status test author frack113, Nasreddine Bencherchali (Nextron Systems) id c57872c7-614f-4d7f-a40d-b78c8df2d30d
view Sigma YAML 
title: Assembly Loading Via CL_LoadAssembly.ps1
id: c57872c7-614f-4d7f-a40d-b78c8df2d30d
status: test
description: Detects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that are part of the "CL_LoadAssembly.ps1" script. This can be abused to load different assemblies and bypass App locker controls.
references:
    - https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/
    - https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-05-21
modified: 2023-08-17
tags:
    - attack.stealth
    - attack.t1216
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        # Note: As this function is usually called from within powershell, classical process creation even would not catch it. This will only catch inline calls via "-Command" or "-ScriptBlock" flags for example.
        CommandLine|contains:
            - 'LoadAssemblyFromPath '
            - 'LoadAssemblyFromNS '
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
Execute Code with Pester.bat
Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
status test author Julia Fomina, oscd.community id 59e938ff-0d6d-4dc3-b13f-36cc28734d4e
view Sigma YAML 
title: Execute Code with Pester.bat
id: 59e938ff-0d6d-4dc3-b13f-36cc28734d4e
status: test
description: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
references:
    - https://twitter.com/Oddvarmoe/status/993383596244258816
    - https://github.com/api0cradle/LOLBAS/blob/d148d278f5f205ce67cfaf49afdfb68071c7252a/OSScripts/pester.md
author: Julia Fomina, oscd.community
date: 2020-10-08
modified: 2023-11-09
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.001
    - attack.t1216
logsource:
    category: process_creation
    product: windows
detection:
    powershell_module:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        CommandLine|contains|all:
            - 'Pester'
            - 'Get-Help'
    cmd_execution:
        Image|endswith: '\cmd.exe'
        CommandLine|contains|all:
            - 'pester'
            - ';'
    get_help:
        CommandLine|contains:
            - 'help'
            - '\?'
    condition: powershell_module or (cmd_execution and get_help)
falsepositives:
    - Legitimate use of Pester for writing tests for Powershell scripts and modules
level: medium
medium
Execute Code with Pester.bat as Parent
Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
status test author frack113, Nasreddine Bencherchali id 18988e1b-9087-4f8a-82fe-0414dce49878
view Sigma YAML 
title: Execute Code with Pester.bat as Parent
id: 18988e1b-9087-4f8a-82fe-0414dce49878
related:
    - id: 59e938ff-0d6d-4dc3-b13f-36cc28734d4e
      type: similar
status: test
description: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
references:
    - https://twitter.com/Oddvarmoe/status/993383596244258816
    - https://twitter.com/_st0pp3r_/status/1560072680887525378
author: frack113, Nasreddine Bencherchali
date: 2022-08-20
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.001
    - attack.t1216
logsource:
    category: process_creation
    product: windows
detection:
    selection_module:
        ParentImage|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        ParentCommandLine|contains: '\WindowsPowerShell\Modules\Pester\'
    selection_cli:
        ParentCommandLine|contains:
            - '{ Invoke-Pester -EnableExit ;'
            - '{ Get-Help "'
    condition: all of selection_*
falsepositives:
    - Legitimate use of Pester for writing tests for Powershell scripts and modules
level: medium
medium
Launch-VsDevShell.PS1 Proxy Execution
Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.
status test author Nasreddine Bencherchali (Nextron Systems) id 45d3a03d-f441-458c-8883-df101a3bb146
view Sigma YAML 
title: Launch-VsDevShell.PS1 Proxy Execution
id: 45d3a03d-f441-458c-8883-df101a3bb146
status: test
description: Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.
references:
    - https://twitter.com/nas_bench/status/1535981653239255040
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-19
tags:
    - attack.stealth
    - attack.t1216.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_script:
        CommandLine|contains: 'Launch-VsDevShell.ps1'
    selection_flags:
        CommandLine|contains:
            - 'VsWherePath '
            - 'VsInstallationPath '
    condition: all of selection_*
falsepositives:
    - Legitimate usage of the script by a developer
level: medium
medium
Potential Process Execution Proxy Via CL_Invocation.ps1
Detects calls to "SyncInvoke" that is part of the "CL_Invocation.ps1" script to proxy execution using "System.Diagnostics.Process"
status test author Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova id a0459f02-ac51-4c09-b511-b8c9203fc429
view Sigma YAML 
title: Potential Process Execution Proxy Via CL_Invocation.ps1
id: a0459f02-ac51-4c09-b511-b8c9203fc429
status: test
description: Detects calls to "SyncInvoke" that is part of the "CL_Invocation.ps1" script to proxy execution using "System.Diagnostics.Process"
references:
    - https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/
    - https://twitter.com/bohops/status/948061991012327424
author: Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova
date: 2020-10-14
modified: 2023-08-17
tags:
    - attack.stealth
    - attack.t1216
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        # Note: As this function is usually called from within powershell, classical process creation even would not catch it. This will only catch inline calls via "-Command" or "-ScriptBlock" flags for example.
        CommandLine|contains: 'SyncInvoke '
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
Potential Script Proxy Execution Via CL_Mutexverifiers.ps1
Detects the use of the Microsoft signed script "CL_mutexverifiers" to proxy the execution of additional PowerShell script commands
status test author Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova, frack113 id 1e0e1a81-e79b-44bc-935b-ddb9c8006b3d
view Sigma YAML 
title: Potential Script Proxy Execution Via CL_Mutexverifiers.ps1
id: 1e0e1a81-e79b-44bc-935b-ddb9c8006b3d
status: test
description: Detects the use of the Microsoft signed script "CL_mutexverifiers" to proxy the execution of additional PowerShell script commands
references:
    - https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/
author: Nasreddine Bencherchali (Nextron Systems), oscd.community, Natalia Shornikova, frack113
date: 2022-05-21
modified: 2023-08-17
tags:
    - attack.stealth
    - attack.t1216
logsource:
    category: process_creation
    product: windows
detection:
    selection_pwsh:
        ParentImage|endswith:
            # Note: to avoid potential FPs we assume the script was launched from powershell. But in theory it can be launched by any Powershell like process
            - '\powershell.exe'
            - '\pwsh.exe'
        Image|endswith: '\powershell.exe'
        CommandLine|contains: ' -nologo -windowstyle minimized -file '
    selection_temp:
        # Note: Since the function uses "env:temp" the value will change depending on the context of exec
        CommandLine|contains:
            - '\AppData\Local\Temp\'
            - '\Windows\Temp\'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
medium
Pubprn.vbs Proxy Execution
Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands.
status test author frack113 id 1fb76ab8-fa60-4b01-bddd-71e89bf555da
view Sigma YAML 
title: Pubprn.vbs Proxy Execution
id: 1fb76ab8-fa60-4b01-bddd-71e89bf555da
status: test
description: Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands.
references:
    - https://lolbas-project.github.io/lolbas/Scripts/Pubprn/
author: frack113
date: 2022-05-28
tags:
    - attack.stealth
    - attack.t1216.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - '\pubprn.vbs'
            - 'script:'
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
Remote Code Execute via Winrm.vbs
Detects an attempt to execute code or create service on remote host via winrm.vbs.
status test author Julia Fomina, oscd.community id 9df0dd3a-1a5c-47e3-a2bc-30ed177646a0
view Sigma YAML 
title: Remote Code Execute via Winrm.vbs
id: 9df0dd3a-1a5c-47e3-a2bc-30ed177646a0
status: test
description: Detects an attempt to execute code or create service on remote host via winrm.vbs.
references:
    - https://twitter.com/bohops/status/994405551751815170
    - https://redcanary.com/blog/lateral-movement-winrm-wmi/
    - https://lolbas-project.github.io/lolbas/Scripts/Winrm/
author: Julia Fomina, oscd.community
date: 2020-10-07
modified: 2023-03-03
tags:
    - attack.stealth
    - attack.t1216
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        # Note: winrm.vbs can only be run by a process named cscript (see "IsCScriptEnv" function)
        - Image|endswith: '\cscript.exe'
        - OriginalFileName: 'cscript.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'winrm'
            - 'invoke Create wmicimv2/Win32_'
            - '-r:http'
    condition: all of selection*
falsepositives:
    - Unknown
level: medium
medium
SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code
Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs
status test author frack113 id 36475a7d-0f6d-4dce-9b01-6aeb473bbaf1
view Sigma YAML 
title: SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code
id: 36475a7d-0f6d-4dce-9b01-6aeb473bbaf1
status: test
description: Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md
    - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/
author: frack113
date: 2021-07-16
modified: 2022-06-22
tags:
    - attack.stealth
    - attack.t1218
    - attack.t1216
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - '\SyncAppvPublishingServer.vbs'
            - ';'  # at a minimum, a semi-colon is required
    condition: selection
falsepositives:
    - Unknown
level: medium
medium
Uncommon Sigverif.EXE Child Process
Detects uncommon child processes spawning from "sigverif.exe", which could indicate potential abuse of the latter as a living of the land binary in order to proxy execution.
status test author Nasreddine Bencherchali (Nextron Systems) id 7d4aaec2-08ed-4430-8b96-28420e030e04
view Sigma YAML 
title: Uncommon Sigverif.EXE Child Process
id: 7d4aaec2-08ed-4430-8b96-28420e030e04
status: test
description: |
    Detects uncommon child processes spawning from "sigverif.exe", which could indicate potential abuse of the latter as a living of the land binary in order to proxy execution.
references:
    - https://www.hexacorn.com/blog/2018/04/27/i-shot-the-sigverif-exe-the-gui-based-lolbin/
    - https://twitter.com/0gtweet/status/1457676633809330184
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-19
modified: 2024-08-27
tags:
    - attack.stealth
    - attack.t1216
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\sigverif.exe'
    filter_main_werfault:
        Image:
            - 'C:\Windows\System32\WerFault.exe'
            - 'C:\Windows\SysWOW64\WerFault.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium
medium
UtilityFunctions.ps1 Proxy Dll
Detects the use of a Microsoft signed script executing a managed DLL with PowerShell.
status test author frack113 id 0403d67d-6227-4ea8-8145-4e72db7da120
view Sigma YAML 
title: UtilityFunctions.ps1 Proxy Dll
id: 0403d67d-6227-4ea8-8145-4e72db7da120
status: test
description: Detects the use of a Microsoft signed script executing a managed DLL with PowerShell.
references:
    - https://lolbas-project.github.io/lolbas/Scripts/UtilityFunctions/
author: frack113
date: 2022-05-28
tags:
    - attack.stealth
    - attack.t1216
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - 'UtilityFunctions.ps1'
            - 'RegSnapin '
    condition: selection
falsepositives:
    - Unknown
level: medium
Showing 1-15 of 15
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin