Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system.
When the sticky keys are "activated" the privilleged shell is launched.
status testauthor Sreemanid 1070db9a-3e5d-412e-8e7b-7183b616e1b3
view Sigma YAML
title: Persistence Via Sticky Key Backdoor
id: 1070db9a-3e5d-412e-8e7b-7183b616e1b3
status: test
description: |
By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system.
When the sticky keys are "activated" the privilleged shell is launched.
references:
- https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html
- https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf
- https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors
author: Sreeman
date: 2020-02-18
modified: 2023-03-07
tags:
- attack.persistence
- attack.t1546.008
- attack.privilege-escalation
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains|all:
- 'copy '
- '/y '
- 'C:\windows\system32\cmd.exe C:\windows\system32\sethc.exe'
condition: selection
falsepositives:
- Unlikely
level: critical
critical
Sticky Key Like Backdoor Execution
Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
title: Sticky Key Like Backdoor Execution
id: 2fdefcb3-dbda-401e-ae23-f0db027628bc
related:
- id: baca5663-583c-45f9-b5dc-ea96a22ce542
type: derived
status: test
description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
references:
- https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors
author: Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community
date: 2018-03-15
modified: 2023-03-07
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.008
- car.2014-11-003
- car.2014-11-008
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\winlogon.exe'
Image|endswith:
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
- '\wt.exe'
CommandLine|contains:
- 'sethc.exe'
- 'utilman.exe'
- 'osk.exe'
- 'Magnify.exe'
- 'Narrator.exe'
- 'DisplaySwitch.exe'
condition: selection
falsepositives:
- Unlikely
level: critical
critical
Sticky Key Like Backdoor Usage - Registry
Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
title: Sticky Key Like Backdoor Usage - Registry
id: baca5663-583c-45f9-b5dc-ea96a22ce542
status: test
description: Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
references:
- https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
- https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/
author: Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community
date: 2018-03-15
modified: 2022-11-26
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.008
- car.2014-11-003
- car.2014-11-008
logsource:
category: registry_event
product: windows
detection:
selection_registry:
TargetObject|endswith:
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger'
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger'
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\Debugger'
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger'
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe\Debugger'
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger'
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atbroker.exe\Debugger'
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpPane.exe\Debugger'
condition: selection_registry
falsepositives:
- Unlikely
level: critical
critical
WMI Backdoor Exchange Transport Agent
Detects a WMI backdoor in Exchange Transport Agents via WMI event filters
status testauthor Florian Roth (Nextron Systems)id 797011dc-44f4-4e6f-9f10-a8ceefbe566b
view Sigma YAML
title: WMI Backdoor Exchange Transport Agent
id: 797011dc-44f4-4e6f-9f10-a8ceefbe566b
status: test
description: Detects a WMI backdoor in Exchange Transport Agents via WMI event filters
references:
- https://twitter.com/cglyer/status/1182389676876980224
- https://twitter.com/cglyer/status/1182391019633029120
author: Florian Roth (Nextron Systems)
date: 2019-10-11
modified: 2023-02-08
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.003
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\EdgeTransport.exe'
filter_conhost:
Image: 'C:\Windows\System32\conhost.exe'
filter_oleconverter: # FP also documented in https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=18
Image|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
Image|endswith: '\Bin\OleConverter.exe'
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: critical
high
COM Hijack via Sdclt
Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
status testauthor Omkar Gudhateid 07743f65-7ec9-404a-a519-913db7118a8d
view Sigma YAML
title: COM Hijack via Sdclt
id: 07743f65-7ec9-404a-a519-913db7118a8d
status: test
description: Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
references:
- http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass
- https://www.exploit-db.com/exploits/47696
author: Omkar Gudhate
date: 2020-09-27
modified: 2023-09-28
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1546
- attack.t1548
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Software\Classes\Folder\shell\open\command\DelegateExecute'
condition: selection
falsepositives:
- Unknown
level: high
high
COM Object Hijacking Via Modification Of Default System CLSID Default Value
Detects potential COM object hijacking via modification of default system CLSID.
status experimentalauthor Nasreddine Bencherchali (Nextron Systems)id 790317c0-0a36-4a6a-a105-6e576bf99a14
view Sigma YAML
title: COM Object Hijacking Via Modification Of Default System CLSID Default Value
id: 790317c0-0a36-4a6a-a105-6e576bf99a14
related:
- id: 3d968d17-ffa4-4bc0-bfdc-f139de76ce77
type: obsolete
- id: a0ff33d8-79e4-4cef-b4f3-9dc4133ccd12
type: obsolete
status: experimental
description: Detects potential COM object hijacking via modification of default system CLSID.
references:
- https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea)
- https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/
- https://blog.talosintelligence.com/uat-5647-romcom/
- https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/darkhotel-a-cluster-of-groups-united-by-common-techniques
- https://threatbook.io/blog/Analysis-of-APT-C-60-Attack-on-South-Korea
- https://catalyst.prodaft.com/public/report/inside-the-latest-espionage-campaign-of-nebulous-mantis
- https://github.com/rtecCyberSec/BitlockMove
- https://cert.gov.ua/article/6284080
- https://securelist.com/forumtroll-apt-hacking-team-dante-spyware/117851/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-07-16
modified: 2025-11-10
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.015
logsource:
category: registry_set
product: windows
detection:
selection_target_root:
TargetObject|contains: '\CLSID\'
TargetObject|endswith:
- '\InprocServer32\(Default)'
- '\LocalServer32\(Default)'
selection_target_builtin_clsid:
TargetObject|contains:
# Note: Add other legitimate CLSID
- '\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\'
- '\{2155fee3-2419-4373-b102-6843707eb41f}\'
- '\{4590f811-1d3a-11d0-891f-00aa004b2e24}\'
- '\{4de225bf-cf59-4cfc-85f7-68b90f185355}\'
- '\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\'
- '\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\'
- '\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}\'
- '\{7849596a-48ea-486e-8937-a2a3009f31a9}\'
- '\{0b91a74b-ad7c-4a9d-b563-29eef9167172}\'
- '\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\'
- '\{30D49246-D217-465F-B00B-AC9DDD652EB7}\'
- '\{A7A63E5C-3877-4840-8727-C1EA9D7A4D50}\'
- '\{2227A280-3AEA-1069-A2DE-08002B30309D}\'
- '\{2DEA658F-54C1-4227-AF9B-260AB5FC3543}\'
- '\{AA509086-5Ca9-4C25-8F95-589D3C07B48A}\'
selection_susp_location_1:
Details|contains:
# Note: Add more suspicious paths and locations
- ':\Perflogs\'
- '\AppData\Local\'
- '\Desktop\'
- '\Downloads\'
- '\Microsoft\Windows\Start Menu\Programs\Startup\'
- '\System32\spool\drivers\color\' # as seen in the knotweed blog
- '\Temporary Internet'
- '\Users\Public\'
- '\Windows\Temp\'
- '%appdata%'
- '%temp%'
- '%tmp%'
selection_susp_location_2:
- Details|contains|all:
- ':\Users\'
- '\Favorites\'
- Details|contains|all:
- ':\Users\'
- '\Favourites\'
- Details|contains|all:
- ':\Users\'
- '\Contacts\'
- Details|contains|all:
- ':\Users\'
- '\Pictures\'
condition: all of selection_target_* and 1 of selection_susp_location_*
falsepositives:
- Unlikely
level: high
high
Change Default File Association To Executable Via Assoc
Detects when a program changes the default file association of any extension to an executable.
When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
status testauthor Nasreddine Bencherchali (Nextron Systems)id ae6f14e6-14de-45b0-9f44-c0986f50dc89
view Sigma YAML
title: Change Default File Association To Executable Via Assoc
id: ae6f14e6-14de-45b0-9f44-c0986f50dc89
related:
- id: 3d3aa6cd-6272-44d6-8afc-7e88dfef7061
type: derived
status: test
description: |
Detects when a program changes the default file association of any extension to an executable.
When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/assoc
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-28
modified: 2023-03-06
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'Cmd.Exe'
selection_cli:
CommandLine|contains|all:
- 'assoc '
- 'exefile'
filter:
CommandLine|contains: '.exe=exefile'
condition: all of selection_* and not filter
falsepositives:
- Unknown
level: high
high
Control Panel Items
Detects the malicious use of a control panel item
status testauthor Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)id 0ba863e6-def5-4e50-9cea-4dd8c7dc46a4
view Sigma YAML
title: Control Panel Items
id: 0ba863e6-def5-4e50-9cea-4dd8c7dc46a4
status: test
description: Detects the malicious use of a control panel item
references:
- https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins
author: Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_)
date: 2020-06-22
modified: 2023-10-11
tags:
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.t1218.002
- attack.persistence
- attack.t1546
logsource:
product: windows
category: process_creation
detection:
selection_reg_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_reg_cli:
CommandLine|contains|all:
- 'add'
- 'CurrentVersion\Control Panel\CPLs'
selection_cpl:
CommandLine|endswith: '.cpl'
filter_cpl_sys:
CommandLine|contains:
- '\System32\'
- '%System%'
- '|C:\Windows\system32|'
filter_cpl_igfx:
CommandLine|contains|all:
- 'regsvr32 '
- ' /s '
- 'igfxCPL.cpl'
condition: all of selection_reg_* or (selection_cpl and not 1 of filter_cpl_*)
falsepositives:
- Unknown
level: high
high
New ActiveScriptEventConsumer Created Via Wmic.EXE
Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence
status testauthor Florian Roth (Nextron Systems)id ebef4391-1a81-4761-a40a-1db446c0e625
view Sigma YAML
title: New ActiveScriptEventConsumer Created Via Wmic.EXE
id: ebef4391-1a81-4761-a40a-1db446c0e625
status: test
description: Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence
references:
- https://twitter.com/johnlatwc/status/1408062131321270282?s=12
- https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
author: Florian Roth (Nextron Systems)
date: 2021-06-25
modified: 2023-02-14
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.003
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'ActiveScriptEventConsumer'
- ' CREATE '
condition: selection
falsepositives:
- Legitimate software creating script event consumers
level: high
high
New Netsh Helper DLL Registered From A Suspicious Location
Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper
status testauthor Nasreddine Bencherchali (Nextron Systems)id e7b18879-676e-4a0e-ae18-27039185a8e7
view Sigma YAML
title: New Netsh Helper DLL Registered From A Suspicious Location
id: e7b18879-676e-4a0e-ae18-27039185a8e7
related:
- id: 56321594-9087-49d9-bf10-524fe8479452
type: similar
- id: c90362e0-2df3-4e61-94fe-b37615814cb1
type: similar
status: test
description: |
Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper
references:
- https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll
- https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-11-28
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.007
logsource:
category: registry_set
product: windows
detection:
selection_target:
TargetObject|contains: '\SOFTWARE\Microsoft\NetSh'
selection_folders_1:
Details|contains:
- ':\Perflogs\'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\AppData\Local\Temp\'
- '\Temporary Internet'
selection_folders_2:
- Details|contains|all:
- ':\Users\'
- '\Favorites\'
- Details|contains|all:
- ':\Users\'
- '\Favourites\'
- Details|contains|all:
- ':\Users\'
- '\Contacts\'
- Details|contains|all:
- ':\Users\'
- '\Pictures\'
condition: selection_target and 1 of selection_folders_*
falsepositives:
- Unknown
level: high
high
Outlook Macro Execution Without Warning Setting Enabled
Detects the modification of Outlook security setting to allow unprompted execution of macros.
status testauthor @ScoubiMtlid e3b50fa5-3c3f-444e-937b-0a99d33731cd
view Sigma YAML
title: Outlook Macro Execution Without Warning Setting Enabled
id: e3b50fa5-3c3f-444e-937b-0a99d33731cd
status: test
description: Detects the modification of Outlook security setting to allow unprompted execution of macros.
references:
- https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53
author: '@ScoubiMtl'
date: 2021-04-05
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.command-and-control
- attack.t1137
- attack.t1008
- attack.t1546
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Outlook\Security\Level'
Details|contains: '0x00000001' # Enable all Macros
condition: selection
falsepositives:
- Unlikely
level: high
high
Potential PSFactoryBuffer COM Hijacking
Detects changes to the PSFactory COM InProcServer32 registry. This technique was used by RomCom to create persistence storing a malicious DLL.
status testauthor BlackBerry Threat Research and Intelligence Team - @Joseliyo_Jstnkid 243380fa-11eb-4141-af92-e14925e77c1b
view Sigma YAML
title: Potential PSFactoryBuffer COM Hijacking
id: 243380fa-11eb-4141-af92-e14925e77c1b
status: test
description: Detects changes to the PSFactory COM InProcServer32 registry. This technique was used by RomCom to create persistence storing a malicious DLL.
references:
- https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine
- https://strontic.github.io/xcyclopedia/library/clsid_C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6.html
- https://www.virustotal.com/gui/file/6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d/detection
- https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html
author: BlackBerry Threat Research and Intelligence Team - @Joseliyo_Jstnk
date: 2023-06-07
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.015
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\CLSID\{c90250f3-4d7d-4991-9b69-a5c5bc1c2ae6}\InProcServer32\(Default)'
filter_main:
Details:
- '%windir%\System32\ActXPrxy.dll'
- 'C:\Windows\System32\ActXPrxy.dll'
condition: selection and not filter_main
falsepositives:
- Unknown
level: high
high
Potential Persistence Via App Paths Default Property
Detects changes to the "Default" property for keys located in the \Software\Microsoft\Windows\CurrentVersion\App Paths\ registry. Which might be used as a method of persistence
The entries found under App Paths are used primarily for the following purposes.
First, to map an application's executable file name to that file's fully qualified path.
Second, to prepend information to the PATH environment variable on a per-application, per-process basis.
status testauthor Nasreddine Bencherchali (Nextron Systems)id 707e097c-e20f-4f67-8807-1f72ff4500d6
view Sigma YAML
title: Potential Persistence Via App Paths Default Property
id: 707e097c-e20f-4f67-8807-1f72ff4500d6
status: test
description: |
Detects changes to the "Default" property for keys located in the \Software\Microsoft\Windows\CurrentVersion\App Paths\ registry. Which might be used as a method of persistence
The entries found under App Paths are used primarily for the following purposes.
First, to map an application's executable file name to that file's fully qualified path.
Second, to prepend information to the PATH environment variable on a per-application, per-process basis.
references:
- https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
- https://learn.microsoft.com/en-us/windows/win32/shell/app-registration
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-10
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.012
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths'
TargetObject|endswith:
- '(Default)'
- 'Path'
Details|contains:
# Add more suspicious paths or binaries as you see fit.
- '\Users\Public'
- '\AppData\Local\Temp\'
- '\Windows\Temp\'
- '\Desktop\'
- '\Downloads\'
- '%temp%'
- '%tmp%'
- 'iex'
- 'Invoke-'
- 'rundll32'
- 'regsvr32'
- 'mshta'
- 'cscript'
- 'wscript'
- '.bat'
- '.hta'
- '.dll'
- '.ps1'
condition: selection
falsepositives:
- Legitimate applications registering their binary from on of the suspicious locations mentioned above (tune it)
level: high
high
Potential Persistence Via GlobalFlags
Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys
status testauthor Karneades, Jonhnathan Ribeiro, Florian Rothid 36803969-5421-41ec-b92f-8500f79c23b0
Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting
Detects the modification of Outlook setting "LoadMacroProviderOnBoot" which if enabled allows the automatic loading of any configured VBA project/module
status testauthor Nasreddine Bencherchali (Nextron Systems)id 396ae3eb-4174-4b9b-880e-dc0364d78a19
view Sigma YAML
title: Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting
id: 396ae3eb-4174-4b9b-880e-dc0364d78a19
status: test
description: Detects the modification of Outlook setting "LoadMacroProviderOnBoot" which if enabled allows the automatic loading of any configured VBA project/module
references:
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53
- https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2021-04-05
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.command-and-control
- attack.t1137
- attack.t1008
- attack.t1546
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Outlook\LoadMacroProviderOnBoot'
Details|contains: '0x00000001'
condition: selection
falsepositives:
- Unknown
level: high
high
Potential Persistence Via Shim Database In Uncommon Location
Detects the installation of a new shim database where the file is located in a non-default location
status testauthor Nasreddine Bencherchali (Nextron Systems)id 6b6976a3-b0e6-4723-ac24-ae38a737af41
view Sigma YAML
title: Potential Persistence Via Shim Database In Uncommon Location
id: 6b6976a3-b0e6-4723-ac24-ae38a737af41
status: test
description: Detects the installation of a new shim database where the file is located in a non-default location
references:
- https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
- https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/
- https://www.blackhat.com/docs/asia-14/materials/Erickson/Asia-14-Erickson-Persist-It-Using-And-Abusing-Microsofts-Fix-It-Patches.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-01
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.011
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains|all:
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\'
- '\DatabasePath'
filter_main_known_locations:
Details|contains: ':\Windows\AppPatch\Custom'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
high
Potential Privilege Escalation Using Symlink Between Osk and Cmd
Detects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in.
status testauthor frack113id e9b61244-893f-427c-b287-3e708f321c6b
view Sigma YAML
title: Potential Privilege Escalation Using Symlink Between Osk and Cmd
id: e9b61244-893f-427c-b287-3e708f321c6b
status: test
description: Detects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md
- https://ss64.com/nt/mklink.html
author: frack113
date: 2022-12-11
modified: 2022-12-20
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.008
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'Cmd.Exe'
selection_cli:
CommandLine|contains|all:
- 'mklink'
- '\osk.exe'
- '\cmd.exe'
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd/info.yml
high
Rundll32 Registered COM Objects
load malicious registered COM objects
status testauthor frack113id f1edd233-30b5-4823-9e6a-c4171b24d316
view Sigma YAML
title: Rundll32 Registered COM Objects
id: f1edd233-30b5-4823-9e6a-c4171b24d316
status: test
description: load malicious registered COM objects
references:
- https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md
author: frack113
date: 2022-02-13
modified: 2023-02-09
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.015
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
selection_cli:
CommandLine|contains:
- '-sta '
- '-localserver '
CommandLine|contains|all:
- '{'
- '}'
condition: all of selection_*
falsepositives:
- Legitimate use
level: high
high
Shell Open Registry Keys Manipulation
Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)
status testauthor Christian Burkard (Nextron Systems)id 152f3630-77c1-4284-bcc0-4cc68ab2f6e7
view Sigma YAML
title: Shell Open Registry Keys Manipulation
id: 152f3630-77c1-4284-bcc0-4cc68ab2f6e7
related:
- id: dd3ee8cc-f751-41c9-ba53-5a32ed47e563
type: similar
status: test
description: Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)
references:
- https://github.com/hfiref0x/UACME
- https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/
- https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass
- https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]
author: Christian Burkard (Nextron Systems)
date: 2021-08-30
modified: 2022-01-13
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1548.002
- attack.t1546.001
logsource:
category: registry_event
product: windows
detection:
selection1:
EventType: SetValue
TargetObject|endswith: 'Classes\ms-settings\shell\open\command\SymbolicLinkValue'
Details|contains: '\Software\Classes\{'
selection2:
TargetObject|endswith: 'Classes\ms-settings\shell\open\command\DelegateExecute'
selection3:
EventType: SetValue
TargetObject|endswith:
- 'Classes\ms-settings\shell\open\command\(Default)'
- 'Classes\exefile\shell\open\command\(Default)'
filter_sel3:
Details: '(Empty)'
condition: selection1 or selection2 or (selection3 and not filter_sel3)
falsepositives:
- Unknown
level: high
high
Suspicious Debugger Registration Cmdline
Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).
status testauthor Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiroid ae215552-081e-44c7-805f-be16f975c8a2
view Sigma YAML
title: Suspicious Debugger Registration Cmdline
id: ae215552-081e-44c7-805f-be16f975c8a2
status: test
description: Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).
references:
- https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/
- https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/
author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro
date: 2019-09-06
modified: 2022-08-06
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1546.008
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains: '\CurrentVersion\Image File Execution Options\'
selection2:
CommandLine|contains:
- 'sethc.exe'
- 'utilman.exe'
- 'osk.exe'
- 'magnify.exe'
- 'narrator.exe'
- 'displayswitch.exe'
- 'atbroker.exe'
- 'HelpPane.exe'
condition: all of selection*
falsepositives:
- Unknown
level: high
high
Suspicious Encoded Scripts in a WMI Consumer
Detects suspicious encoded payloads in WMI Event Consumers
status testauthor Florian Roth (Nextron Systems)id 83844185-1c5b-45bc-bcf3-b5bf3084ca5b
view Sigma YAML
title: Suspicious Encoded Scripts in a WMI Consumer
id: 83844185-1c5b-45bc-bcf3-b5bf3084ca5b
status: test
description: Detects suspicious encoded payloads in WMI Event Consumers
references:
- https://github.com/RiccardoAncarani/LiquidSnake
author: Florian Roth (Nextron Systems)
date: 2021-09-01
modified: 2022-10-09
tags:
- attack.privilege-escalation
- attack.execution
- attack.t1047
- attack.persistence
- attack.t1546.003
logsource:
product: windows
category: wmi_event
detection:
selection_destination:
Destination|base64offset|contains:
- 'WriteProcessMemory'
- 'This program cannot be run in DOS mode'
- 'This program must be run under Win32'
condition: selection_destination
falsepositives:
- Unknown
level: high
high
Suspicious Get-Variable.exe Creation
Get-Variable is a valid PowerShell cmdlet
WindowsApps is by default in the path where PowerShell is executed.
So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.
status testauthor frack113id 0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b
view Sigma YAML
title: Suspicious Get-Variable.exe Creation
id: 0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b
status: test
description: |
Get-Variable is a valid PowerShell cmdlet
WindowsApps is by default in the path where PowerShell is executed.
So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.
references:
- https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/
- https://www.joesandbox.com/analysis/465533/0/html
author: frack113
date: 2022-04-23
tags:
- attack.privilege-escalation
- attack.persistence
- attack.stealth
- attack.t1546
- attack.t1027
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: 'Local\Microsoft\WindowsApps\Get-Variable.exe'
condition: selection
falsepositives:
- Unknown
level: high
high
Suspicious Outlook Macro Created
Detects the creation of a macro file for Outlook.
status testauthor Nasreddine Bencherchali (Nextron Systems)id 117d3d3a-755c-4a61-b23e-9171146d094c
view Sigma YAML
title: Suspicious Outlook Macro Created
id: 117d3d3a-755c-4a61-b23e-9171146d094c
related:
- id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61
type: derived
status: test
description: Detects the creation of a macro file for Outlook.
references:
- https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53
- https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-08
tags:
- attack.privilege-escalation
- attack.persistence
- attack.command-and-control
- attack.t1137
- attack.t1008
- attack.t1546
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith: '\Microsoft\Outlook\VbaProject.OTM'
filter:
Image|endswith: '\outlook.exe'
condition: selection and not filter
falsepositives:
- Unlikely
level: high
high
Suspicious Shim Database Patching Activity
Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence.
status testauthor Nasreddine Bencherchali (Nextron Systems)id bf344fea-d947-4ef4-9192-34d008315d3a
view Sigma YAML
title: Suspicious Shim Database Patching Activity
id: bf344fea-d947-4ef4-9192-34d008315d3a
status: test
description: Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence.
references:
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/
- https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-08-01
modified: 2023-12-06
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.011
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\'
TargetObject|endswith:
# Note: add other application to increase coverage
- '\csrss.exe'
- '\dllhost.exe'
- '\explorer.exe'
- '\RuntimeBroker.exe'
- '\services.exe'
- '\sihost.exe'
- '\svchost.exe'
- '\taskhostw.exe'
- '\winlogon.exe'
- '\WmiPrvSe.exe'
condition: selection
falsepositives:
- Unknown
level: high
high
WMI Persistence - Command Line Event Consumer
Detects WMI command line event consumers
status testauthor Thomas Patzkeid 05936ce2-ee05-4dae-9d03-9a391cf2d2c6
view Sigma YAML
title: WMI Persistence - Command Line Event Consumer
id: 05936ce2-ee05-4dae-9d03-9a391cf2d2c6
status: test
description: Detects WMI command line event consumers
references:
- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
author: Thomas Patzke
date: 2018-03-07
modified: 2021-11-27
tags:
- attack.privilege-escalation
- attack.t1546.003
- attack.persistence
logsource:
category: image_load
product: windows
detection:
selection:
Image: 'C:\Windows\System32\wbem\WmiPrvSE.exe'
ImageLoaded|endswith: '\wbemcons.dll'
condition: selection
falsepositives:
- Unknown (data set is too small; further testing needed)
level: high
status testauthor Thomas Patzkeid 33f41cdd-35ac-4ba8-814b-c6a4244a1ad4
view Sigma YAML
title: WMI Persistence - Script Event Consumer File Write
id: 33f41cdd-35ac-4ba8-814b-c6a4244a1ad4
status: test
description: Detects file writes of WMI script event consumer
references:
- https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
author: Thomas Patzke
date: 2018-03-07
modified: 2021-11-27
tags:
- attack.privilege-escalation
- attack.t1546.003
- attack.persistence
logsource:
product: windows
category: file_event
detection:
selection:
Image: 'C:\WINDOWS\system32\wbem\scrcons.exe'
condition: selection
falsepositives:
- Dell Power Manager (C:\Program Files\Dell\PowerManager\DpmPowerPlanSetup.exe)
level: high
medium
COM Hijacking via TreatAs
Detect modification of TreatAs key to enable "rundll32.exe -sta" command
status testauthor frack113id dc5c24af-6995-49b2-86eb-a9ff62199e82
view Sigma YAML
title: COM Hijacking via TreatAs
id: dc5c24af-6995-49b2-86eb-a9ff62199e82
status: test
description: Detect modification of TreatAs key to enable "rundll32.exe -sta" command
references:
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md
- https://www.youtube.com/watch?v=3gz1QmiMhss&t=1251s
author: frack113
date: 2022-08-28
modified: 2025-07-11
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.015
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: 'TreatAs\(Default)'
filter_office:
Image|startswith: 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
Image|endswith: '\OfficeClickToRun.exe'
filter_office2:
Image:
- 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
- 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
filter_svchost:
# Example of target object by svchost
# TargetObject: HKLM\SOFTWARE\Microsoft\MsixRegistryCompatibility\Package\Microsoft.Paint_11.2208.6.0_x64__8wekyb3d8bbwe\User\SOFTWARE\Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs\(Default)
# TargetObject: HKU\S-1-5-21-1000000000-000000000-000000000-0000_Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs\(Default)
Image: 'C:\Windows\system32\svchost.exe'
filter_misexec:
# This FP has been seen during installation/updates
Image:
- 'C:\Windows\system32\msiexec.exe'
- 'C:\Windows\SysWOW64\msiexec.exe'
condition: selection and not 1 of filter_*
falsepositives:
- Legitimate use
level: medium
medium
MacOS Emond Launch Daemon
Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges.
status testauthor Alejandro Ortuno, oscd.communityid 23c43900-e732-45a4-8354-63e4a6c187ce
view Sigma YAML
title: MacOS Emond Launch Daemon
id: 23c43900-e732-45a4-8354-63e4a6c187ce
status: test
description: Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md
- https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
author: Alejandro Ortuno, oscd.community
date: 2020-10-23
modified: 2021-11-27
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1546.014
logsource:
category: file_event
product: macos
detection:
selection_1:
TargetFilename|contains: '/etc/emond.d/rules/'
TargetFilename|endswith: '.plist'
selection_2:
TargetFilename|contains: '/private/var/db/emondClients/'
condition: 1 of selection_*
falsepositives:
- Legitimate administration activities
level: medium
medium
New DLL Added to AppCertDlls Registry Key
Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation
by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.
status testauthor Ilyas Ochkov, oscd.communityid 6aa1d992-5925-4e9f-a49b-845e51d1de01
view Sigma YAML
title: New DLL Added to AppCertDlls Registry Key
id: 6aa1d992-5925-4e9f-a49b-845e51d1de01
status: test
description: |
Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation
by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.
references:
- http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/
- https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html
author: Ilyas Ochkov, oscd.community
date: 2019-10-25
modified: 2021-11-27
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.009
logsource:
category: registry_event
product: windows
detection:
selection:
# Sysmon gives us HKLM\SYSTEM\CurrentControlSet\.. if ControlSetXX is the selected one
- TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls'
# key rename
- NewName: 'HKLM\SYSTEM\CurentControlSet\Control\Session Manager\AppCertDlls'
condition: selection
falsepositives:
- Unknown
level: medium
medium
New DLL Added to AppInit_DLLs Registry Key
DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll
status testauthor Ilyas Ochkov, oscd.community, Tim Sheltonid 4f84b697-c9ed-4420-8ab5-e09af5b2345d
view Sigma YAML
title: New DLL Added to AppInit_DLLs Registry Key
id: 4f84b697-c9ed-4420-8ab5-e09af5b2345d
status: test
description: DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll
references:
- https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html
author: Ilyas Ochkov, oscd.community, Tim Shelton
date: 2019-10-25
modified: 2022-12-25
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.010
logsource:
category: registry_event
product: windows
detection:
selection:
- TargetObject|endswith:
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
- '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
# Key Rename
- NewName|endswith:
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
- '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls'
filter:
Details: '(Empty)'
condition: selection and not filter
falsepositives:
- Unknown
level: medium
medium
New Outlook Macro Created
Detects the creation of a macro file for Outlook.
status testauthor @ScoubiMtlid 8c31f563-f9a7-450c-bfa8-35f8f32f1f61
view Sigma YAML
title: New Outlook Macro Created
id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61
related:
- id: 117d3d3a-755c-4a61-b23e-9171146d094c
type: derived
status: test
description: Detects the creation of a macro file for Outlook.
references:
- https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
author: '@ScoubiMtl'
date: 2021-04-05
modified: 2023-02-08
tags:
- attack.privilege-escalation
- attack.persistence
- attack.command-and-control
- attack.t1137
- attack.t1008
- attack.t1546
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith: '\outlook.exe'
TargetFilename|endswith: '\Microsoft\Outlook\VbaProject.OTM'
condition: selection
falsepositives:
- User genuinely creates a VB Macro for their email
level: medium
medium
Path To Screensaver Binary Modified
Detects value modification of registry key containing path to binary used as screensaver.
status testauthor Bartlomiej Czyz @bczyz1, oscd.communityid 67a6c006-3fbe-46a7-9074-2ba3b82c3000
view Sigma YAML
title: Path To Screensaver Binary Modified
id: 67a6c006-3fbe-46a7-9074-2ba3b82c3000
status: test
description: Detects value modification of registry key containing path to binary used as screensaver.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md
- https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf
author: Bartlomiej Czyz @bczyz1, oscd.community
date: 2020-10-11
modified: 2021-11-27
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1546.002
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|endswith: '\Control Panel\Desktop\SCRNSAVE.EXE' # HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE
filter:
Image|endswith:
- '\rundll32.exe'
- '\explorer.exe'
condition: selection and not filter
falsepositives:
- Legitimate modification of screensaver
level: medium
medium
Potential COM Object Hijacking Via TreatAs Subkey - Registry
Detects COM object hijacking via TreatAs subkey
status testauthor Kutepov Anton, oscd.communityid 9b0f8a61-91b2-464f-aceb-0527e0a45020
view Sigma YAML
title: Potential COM Object Hijacking Via TreatAs Subkey - Registry
id: 9b0f8a61-91b2-464f-aceb-0527e0a45020
status: test
description: Detects COM object hijacking via TreatAs subkey
references:
- https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
author: Kutepov Anton, oscd.community
date: 2019-10-23
modified: 2025-10-26
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.015
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains|all:
- 'HKU\'
- 'Classes\CLSID\'
- '\TreatAs'
filter_main_svchost:
# Example of target object by svchost
# TargetObject: HKU\S-1-5-21-1098798288-3663759343-897484398-1001_Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs
Image: 'C:\WINDOWS\system32\svchost.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Maybe some system utilities in rare cases use linking keys for backward compatibility
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_persistence_com_key_linking/info.yml
simulation:
- type: atomic-red-team
name: COM hijacking via TreatAs
technique: T1546.015
atomic_guid: 33eacead-f117-4863-8eb0-5c6304fbfaa9
medium
Potential Persistence Using DebugPath
Detects potential persistence using Appx DebugPath
status testauthor frack113id df4dc653-1029-47ba-8231-3c44238cc0ae
view Sigma YAML
title: Potential Persistence Using DebugPath
id: df4dc653-1029-47ba-8231-3c44238cc0ae
status: test
description: Detects potential persistence using Appx DebugPath
references:
- https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/
- https://github.com/rootm0s/WinPwnage
author: frack113
date: 2022-07-27
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.015
logsource:
category: registry_set
product: windows
detection:
selection_debug:
TargetObject|contains: 'Classes\ActivatableClasses\Package\Microsoft.'
TargetObject|endswith: '\DebugPath'
selection_default:
TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\PackagedAppXDebug\Microsoft.'
TargetObject|endswith: '\(Default)'
condition: 1 of selection_*
falsepositives:
- Unknown
level: medium
medium
Potential Persistence Via AppCompat RegisterAppRestart Layer
Detects the setting of the REGISTERAPPRESTART compatibility layer on an application.
This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API.
This can be potentially abused as a persistence mechanism.
status testauthor Nasreddine Bencherchali (Nextron Systems)id b86852fb-4c77-48f9-8519-eb1b2c308b59
view Sigma YAML
title: Potential Persistence Via AppCompat RegisterAppRestart Layer
id: b86852fb-4c77-48f9-8519-eb1b2c308b59
status: test
description: |
Detects the setting of the REGISTERAPPRESTART compatibility layer on an application.
This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API.
This can be potentially abused as a persistence mechanism.
references:
- https://github.com/nasbench/Misc-Research/blob/d114d6a5e0a437d3818e492ef9864367152543e7/Other/Persistence-Via-RegisterAppRestart-Shim.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-01-01
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.011
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\'
Details|contains: 'REGISTERAPPRESTART'
condition: selection
falsepositives:
- Legitimate applications making use of this feature for compatibility reasons
level: medium
medium
Potential Persistence Via Netsh Helper DLL
Detects the execution of netsh with "add helper" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.
status testauthor Victor Sergeev, oscd.communityid 56321594-9087-49d9-bf10-524fe8479452
view Sigma YAML
title: Potential Persistence Via Netsh Helper DLL
id: 56321594-9087-49d9-bf10-524fe8479452
related:
- id: c90362e0-2df3-4e61-94fe-b37615814cb1
type: similar
- id: e7b18879-676e-4a0e-ae18-27039185a8e7
type: similar
status: test
description: |
Detects the execution of netsh with "add helper" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md
- https://github.com/outflanknl/NetshHelperBeacon
- https://web.archive.org/web/20160928212230/https://www.adaptforward.com/2016/09/using-netshell-to-execute-evil-dlls-and-persist-on-a-host/
author: Victor Sergeev, oscd.community
date: 2019-10-25
modified: 2023-11-28
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.007
- attack.s0108
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'netsh.exe'
- Image|endswith: '\netsh.exe'
selection_cli:
CommandLine|contains|all:
- 'add'
- 'helper'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
medium
Potential Persistence Via Netsh Helper DLL - Registry
Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper
status testauthor Anish Bogatiid c90362e0-2df3-4e61-94fe-b37615814cb1
view Sigma YAML
title: Potential Persistence Via Netsh Helper DLL - Registry
id: c90362e0-2df3-4e61-94fe-b37615814cb1
related:
- id: 56321594-9087-49d9-bf10-524fe8479452
type: similar
- id: e7b18879-676e-4a0e-ae18-27039185a8e7
type: similar
status: test
description: |
Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper
references:
- https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll
- https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/
author: Anish Bogati
date: 2023-11-28
modified: 2025-10-08
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.007
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\SOFTWARE\Microsoft\NetSh'
Details|contains: '.dll'
filter_main_poqexec:
Image: 'C:\Windows\System32\poqexec.exe'
Details:
- 'ipmontr.dll'
- 'iasmontr.dll'
- 'ippromon.dll'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate helper added by different programs and the OS
level: medium
medium
Potential Persistence Via PowerShell User Profile Using Add-Content
Detects calls to "Add-Content" cmdlet in order to modify the content of the user profile and potentially adding suspicious commands for persistence
status testauthor frack113, Nasreddine Bencherchali (Nextron Systems)id 05b3e303-faf0-4f4a-9b30-46cc13e69152
view Sigma YAML
title: Potential Persistence Via PowerShell User Profile Using Add-Content
id: 05b3e303-faf0-4f4a-9b30-46cc13e69152
status: test
description: Detects calls to "Add-Content" cmdlet in order to modify the content of the user profile and potentially adding suspicious commands for persistence
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.013/T1546.013.md
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2021-08-18
modified: 2023-05-04
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1546.013
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_add:
ScriptBlockText|contains: 'Add-Content $profile'
selection_options:
ScriptBlockText|contains:
# Note: You can add more suspicious values
- '-Value "IEX '
- '-Value "Invoke-Expression'
- '-Value "Invoke-WebRequest'
- '-Value "Start-Process'
- "-Value 'IEX "
- "-Value 'Invoke-Expression"
- "-Value 'Invoke-WebRequest"
- "-Value 'Start-Process"
condition: all of selection_*
falsepositives:
- Legitimate administration and tuning scripts that aim to add functionality to a user PowerShell session
level: medium
medium
Potential Persistence Via Scrobj.dll COM Hijacking
Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute
status testauthor frack113id fe20dda1-6f37-4379-bbe0-a98d400cae90
view Sigma YAML
title: Potential Persistence Via Scrobj.dll COM Hijacking
id: fe20dda1-6f37-4379-bbe0-a98d400cae90
status: test
description: Detect use of scrobj.dll as this DLL looks for the ScriptletURL key to get the location of the script to execute
references:
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md
author: frack113
date: 2022-08-20
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.015
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: 'InprocServer32\(Default)'
Details: 'C:\WINDOWS\system32\scrobj.dll'
condition: selection
falsepositives:
- Legitimate use of the dll.
level: medium
medium
Potential Persistence Via Shim Database Modification
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.
The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time
status testauthor frack113id dfb5b4e8-91d0-4291-b40a-e3b0d3942c45
view Sigma YAML
title: Potential Persistence Via Shim Database Modification
id: dfb5b4e8-91d0-4291-b40a-e3b0d3942c45
status: test
description: |
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.
The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb
- https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
- https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/
author: frack113
date: 2021-12-30
modified: 2025-10-22
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.011
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB\'
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\'
filter_main_empty_string:
Details: ''
filter_main_empty_value:
Details: '(Empty)'
filter_main_null:
Details: null
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate custom SHIM installations will also trigger this rule
level: medium
medium
Potential Shim Database Persistence via Sdbinst.EXE
Detects installation of a new shim using sdbinst.exe.
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims
status testauthor Markus Neisid 517490a7-115a-48c6-8862-1a481504d5a8
view Sigma YAML
title: Potential Shim Database Persistence via Sdbinst.EXE
id: 517490a7-115a-48c6-8862-1a481504d5a8
related:
- id: 18ee686c-38a3-4f65-9f44-48a077141f42
type: similar
status: test
description: |
Detects installation of a new shim using sdbinst.exe.
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims
references:
- https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence
author: Markus Neis
date: 2019-01-16
modified: 2023-12-06
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1546.011
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\sdbinst.exe'
- OriginalFileName: 'sdbinst.exe'
selection_cli:
CommandLine|contains: '.sdb'
filter_optional_iis:
ParentImage|endswith: '\msiexec.exe'
CommandLine|contains:
# Expected behavior for IIS Express (e.g. https://www.hybrid-analysis.com/sample/15d4ff941f77f7bdfc9dfb2399b7b952a0a2c860976ef3e835998ff4796e5e91?environmentId=120)
- ':\Program Files (x86)\IIS Express\iisexpressshim.sdb'
- ':\Program Files\IIS Express\iisexpressshim.sdb'
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
medium
Potential Suspicious Activity Using SeCEdit
Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
status testauthor Janantha Marasingheid c2c76b77-32be-4d1f-82c9-7e544bdfe0eb
view Sigma YAML
title: Potential Suspicious Activity Using SeCEdit
id: c2c76b77-32be-4d1f-82c9-7e544bdfe0eb
status: test
description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
references:
- https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit
author: Janantha Marasinghe
date: 2022-11-18
modified: 2022-12-30
tags:
- attack.collection
- attack.discovery
- attack.persistence
- attack.credential-access
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.defense-impairment
- attack.t1685.001
- attack.t1547.001
- attack.t1505.005
- attack.t1556.002
- attack.t1685
- attack.t1574.007
- attack.t1564.002
- attack.t1546.008
- attack.t1546.007
- attack.t1547.014
- attack.t1547.010
- attack.t1547.002
- attack.t1557
- attack.t1082
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\secedit.exe'
- OriginalFileName: 'SeCEdit'
selection_flags_discovery:
CommandLine|contains|all:
- '/export'
- '/cfg'
selection_flags_configure:
CommandLine|contains|all:
- '/configure'
- '/db'
# filter:
# SubjectUserName|endswith: '$' SubjectUserName is from event ID 4719 in the Windows Security log
condition: selection_img and (1 of selection_flags_*)
falsepositives:
- Legitimate administrative use
level: medium
medium
PowerShell Profile Modification
Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
status testauthor HieuTT35, Nasreddine Bencherchali (Nextron Systems)id b5b78988-486d-4a80-b991-930eff3ff8bf
view Sigma YAML
title: PowerShell Profile Modification
id: b5b78988-486d-4a80-b991-930eff3ff8bf
status: test
description: Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
references:
- https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/
- https://persistence-info.github.io/Data/powershellprofile.html
author: HieuTT35, Nasreddine Bencherchali (Nextron Systems)
date: 2019-10-24
modified: 2023-10-23
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1546.013
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- '\Microsoft.PowerShell_profile.ps1'
- '\PowerShell\profile.ps1'
- '\Program Files\PowerShell\7-preview\profile.ps1'
- '\Program Files\PowerShell\7\profile.ps1'
- '\Windows\System32\WindowsPowerShell\v1.0\profile.ps1'
- '\WindowsPowerShell\profile.ps1'
condition: selection
falsepositives:
- System administrator creating Powershell profile manually
level: medium
medium
Powershell WMI Persistence
Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.
status testauthor frack113id 9e07f6e7-83aa-45c6-998e-0af26efd0a85
view Sigma YAML
title: Powershell WMI Persistence
id: 9e07f6e7-83aa-45c6-998e-0af26efd0a85
status: test
description: Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md
- https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545
author: frack113
date: 2021-08-19
modified: 2022-12-25
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1546.003
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_ioc:
- ScriptBlockText|contains|all:
- 'New-CimInstance '
- '-Namespace root/subscription '
- '-ClassName __EventFilter '
- '-Property ' # is a variable name
- ScriptBlockText|contains|all:
- 'New-CimInstance '
- '-Namespace root/subscription '
- '-ClassName CommandLineEventConsumer '
- '-Property ' # is a variable name
condition: selection_ioc
falsepositives:
- Unknown
level: medium
medium
Registry Modification of MS-settings Protocol Handler
Detects registry modifications to the 'ms-settings' protocol handler, which is frequently targeted for UAC bypass or persistence.
Attackers can modify this registry to execute malicious code with elevated privileges by hijacking the command execution path.
status testauthor frack113, Swachchhanda Shrawan Poudel (Nextron Systems)id dd3ee8cc-f751-41c9-ba53-5a32ed47e563
view Sigma YAML
title: Registry Modification of MS-settings Protocol Handler
id: dd3ee8cc-f751-41c9-ba53-5a32ed47e563
related:
- id: 152f3630-77c1-4284-bcc0-4cc68ab2f6e7
type: similar
status: test
description: |
Detects registry modifications to the 'ms-settings' protocol handler, which is frequently targeted for UAC bypass or persistence.
Attackers can modify this registry to execute malicious code with elevated privileges by hijacking the command execution path.
references:
- https://thedfirreport.com/2021/12/13/diavol-ransomware/
- https://www.trendmicro.com/en_us/research/25/f/water-curse.html
author: frack113, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2021-12-20
modified: 2026-01-24
tags:
- attack.privilege-escalation
- attack.persistence
- attack.defense-impairment
- attack.t1548.002
- attack.t1546.001
- attack.t1112
logsource:
category: process_creation
product: windows
detection:
selection_reg_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_pwsh_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'powershell.exe'
- 'pwsh.dll'
selection_reg_cli:
CommandLine|contains: 'add'
selection_pwsh_cli:
CommandLine|contains:
- 'New-ItemProperty'
- 'Set-ItemProperty'
- 'ni '
- 'sp '
selection_cli_key:
CommandLine|contains: '\ms-settings\shell\open\command'
condition: (all of selection_reg_* or all of selection_pwsh_*) and selection_cli_key
falsepositives:
- Unknown
level: medium
medium
Session Manager Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
status testauthor Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)id 046218bd-e0d8-4113-a3c3-895a12b2b298
view Sigma YAML
title: Session Manager Autorun Keys Modification
id: 046218bd-e0d8-4113-a3c3-895a12b2b298
related:
- id: 17f878b8-9968-4578-b814-c4217fc5768c
type: obsolete
status: test
description: Detects modification of autostart extensibility point (ASEP) in registry.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
date: 2019-10-25
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1547.001
- attack.t1546.009
logsource:
category: registry_set
product: windows
detection:
session_manager_base:
TargetObject|contains: '\System\CurrentControlSet\Control\Session Manager'
session_manager:
TargetObject|contains:
- '\SetupExecute'
- '\S0InitialCommand'
- '\KnownDlls'
- '\Execute'
- '\BootExecute'
- '\AppCertDlls'
filter:
Details: '(Empty)'
condition: session_manager_base and session_manager and not filter
falsepositives:
- Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
- Legitimate administrator sets up autorun keys for legitimate reason
level: medium
medium
Suspicious GetTypeFromCLSID ShellExecute
Detects suspicious Powershell code that execute COM Objects
status testauthor frack113id 8bc063d5-3a3a-4f01-a140-bc15e55e8437
view Sigma YAML
title: Suspicious GetTypeFromCLSID ShellExecute
id: 8bc063d5-3a3a-4f01-a140-bc15e55e8437
status: test
description: Detects suspicious Powershell code that execute COM Objects
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md#atomic-test-2---powershell-execute-com-object
author: frack113
date: 2022-04-02
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.015
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- '::GetTypeFromCLSID('
- '.ShellExecute('
condition: selection
falsepositives:
- Legitimate PowerShell scripts
level: medium
medium
Suspicious ScreenSave Change by Reg.exe
Adversaries may establish persistence by executing malicious content triggered by user inactivity.
Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
status testauthor frack113id 0fc35fc3-efe6-4898-8a37-0b233339524f
view Sigma YAML
title: Suspicious ScreenSave Change by Reg.exe
id: 0fc35fc3-efe6-4898-8a37-0b233339524f
status: test
description: |
Adversaries may establish persistence by executing malicious content triggered by user inactivity.
Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md
- https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf
author: frack113
date: 2021-08-19
modified: 2022-06-02
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1546.002
logsource:
category: process_creation
product: windows
detection:
selection_reg:
Image|endswith: '\reg.exe'
CommandLine|contains:
- 'HKEY_CURRENT_USER\Control Panel\Desktop'
- 'HKCU\Control Panel\Desktop'
selection_option_1: # /force Active ScreenSaveActive
CommandLine|contains|all:
- '/v ScreenSaveActive'
- '/t REG_SZ'
- '/d 1'
- '/f'
selection_option_2: # /force set ScreenSaveTimeout
CommandLine|contains|all:
- '/v ScreenSaveTimeout'
- '/t REG_SZ'
- '/d '
- '/f'
selection_option_3: # /force set ScreenSaverIsSecure
CommandLine|contains|all:
- '/v ScreenSaverIsSecure'
- '/t REG_SZ'
- '/d 0'
- '/f'
selection_option_4: # /force set a .scr
CommandLine|contains|all:
- '/v SCRNSAVE.EXE'
- '/t REG_SZ'
- '/d '
- '.scr'
- '/f'
condition: selection_reg and 1 of selection_option_*
falsepositives:
- GPO
level: medium
medium
Suspicious Screensaver Binary File Creation
Adversaries may establish persistence by executing malicious content triggered by user inactivity.
Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
status testauthor frack113id 97aa2e88-555c-450d-85a6-229bcd87efb8
view Sigma YAML
title: Suspicious Screensaver Binary File Creation
id: 97aa2e88-555c-450d-85a6-229bcd87efb8
status: test
description: |
Adversaries may establish persistence by executing malicious content triggered by user inactivity.
Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md
author: frack113
date: 2021-12-29
modified: 2022-11-08
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.002
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: '.scr'
filter_generic:
Image|endswith:
- '\Kindle.exe'
- '\Bin\ccSvcHst.exe' # Symantec Endpoint Protection
filter_tiworker:
# ParentCommandLine: C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p
Image|endswith: '\TiWorker.exe'
TargetFilename|endswith: '\uwfservicingscr.scr'
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: medium
medium
Suspicious Shell Open Command Registry Modification
Detects modifications to shell open registry keys that point to suspicious locations typically used by malware for persistence.
Generally, modifications to the `*\shell\open\command` registry key can indicate an attempt to change the default action for opening files,
and various UAC bypass or persistence techniques involve modifying these keys to execute malicious scripts or binaries.
status experimentalauthor Swachchhanda Shrawan Poudel (Nextron Systems)id 9e8894c0-0ae0-11ef-9d85-1f2942bec57c
view Sigma YAML
title: Suspicious Shell Open Command Registry Modification
id: 9e8894c0-0ae0-11ef-9d85-1f2942bec57c
status: experimental
description: |
Detects modifications to shell open registry keys that point to suspicious locations typically used by malware for persistence.
Generally, modifications to the `*\shell\open\command` registry key can indicate an attempt to change the default action for opening files,
and various UAC bypass or persistence techniques involve modifying these keys to execute malicious scripts or binaries.
references:
- https://www.trendmicro.com/en_us/research/25/f/water-curse.html
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-24
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1548.002
- attack.t1546.001
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\shell\open\command\'
Details|contains:
- '\$Recycle.Bin\'
- '\AppData\Local\Temp\'
- '\Contacts\'
- '\Music\'
- '\PerfLogs\'
- '\Photos\'
- '\Pictures\'
- '\Users\Public\'
- '\Videos\'
- '\Windows\Temp\'
- '%AppData%'
- '%LocalAppData%'
- '%Temp%'
- '%tmp%'
condition: selection
falsepositives:
- Legitimate software installations or updates that modify the shell open command registry keys to these locations.
level: medium