Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Hiding User Account Via SpecialAccounts Registry Key
Detects modifications to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.
status testauthor Nasreddine Bencherchali (Nextron Systems), frack113id f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd
view Sigma YAML
title: Hiding User Account Via SpecialAccounts Registry Key
id: f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd
related:
- id: 8a58209c-7ae6-4027-afb0-307a78e4589a
type: obsolete
- id: 9ec9fb1b-e059-4489-9642-f270c207923d
type: similar
status: test
description: Detects modifications to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.
references:
- https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1564.002/T1564.002.md#atomic-test-3---create-hidden-user-in-registry
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2022-07-12
modified: 2023-01-26
tags:
- attack.stealth
- attack.t1564.002
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_special_accounts/info.yml
simulation:
- type: atomic-red-team
name: Create Hidden User in Registry
technique: T1564.002
atomic_guid: 173126b7-afe4-45eb-8680-fa9f6400431c
high
NTFS Alternate Data Stream
Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.
status testauthor Sami Ruohonenid 8c521530-5169-495d-a199-0a3a881ad24e
view Sigma YAML
title: NTFS Alternate Data Stream
id: 8c521530-5169-495d-a199-0a3a881ad24e
status: test
description: Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.
references:
- https://web.archive.org/web/20220614030603/http://www.powertheshell.com/ntfsstreams/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md
author: Sami Ruohonen
date: 2018-07-24
modified: 2022-12-25
tags:
- attack.stealth
- attack.t1564.004
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_content:
ScriptBlockText|contains:
- set-content
- add-content
selection_stream:
ScriptBlockText|contains: '-stream'
condition: all of selection*
falsepositives:
- Unknown
level: high
high
Potential Data Stealing Via Chromium Headless Debugging
Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control
status testauthor Nasreddine Bencherchali (Nextron Systems)id 3e8207c5-fcd2-4ea6-9418-15d45b4890e4
view Sigma YAML
title: Potential Data Stealing Via Chromium Headless Debugging
id: 3e8207c5-fcd2-4ea6-9418-15d45b4890e4
related:
- id: b3d34dc5-2efd-4ae3-845f-8ec14921f449
type: derived
status: test
description: Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control
references:
- https://github.com/defaultnamehere/cookie_crimes/
- https://mango.pdf.zone/stealing-chrome-cookies-without-a-password
- https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/
- https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-23
tags:
- attack.credential-access
- attack.collection
- attack.stealth
- attack.t1185
- attack.t1564.003
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '--remote-debugging-' # Covers: --remote-debugging-address, --remote-debugging-port, --remote-debugging-socket-name, --remote-debugging-pipe....etc
- '--user-data-dir'
- '--headless'
condition: selection
falsepositives:
- Unknown
level: high
high
Potential Rundll32 Execution With DLL Stored In ADS
Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).
status testauthor Harjot Singh, '@cyb3rjy0t'id 9248c7e1-2bf3-4661-a22c-600a8040b446
view Sigma YAML
title: Potential Rundll32 Execution With DLL Stored In ADS
id: 9248c7e1-2bf3-4661-a22c-600a8040b446
status: test
description: Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).
references:
- https://lolbas-project.github.io/lolbas/Binaries/Rundll32
author: Harjot Singh, '@cyb3rjy0t'
date: 2023-01-21
modified: 2026-03-16
tags:
- attack.stealth
- attack.t1564.004
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\rundll32.exe'
- OriginalFileName: 'RUNDLL32.EXE'
selection_cli:
# Example:
# rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMain
# Note: This doesn't cover the use case where a full path for the DLL isn't used. As it requires a more expensive regex
CommandLine|re: '[Rr][Uu][Nn][Dd][Ll][Ll]32(?:\.[Ee][Xx][Ee])? \S+?\w:\S+?:'
condition: all of selection_*
falsepositives:
- Unknown
level: high
high
Potentially Suspicious Execution From Parent Process In Public Folder
Detects a potentially suspicious execution of a parent process located in the "\Users\Public" folder executing a child process containing references to shell or scripting binaries and commandlines.
title: Potentially Suspicious Execution From Parent Process In Public Folder
id: 69bd9b97-2be2-41b6-9816-fb08757a4d1a
status: test
description: |
Detects a potentially suspicious execution of a parent process located in the "\Users\Public" folder executing a child process containing references to shell or scripting binaries and commandlines.
references:
- https://redcanary.com/blog/blackbyte-ransomware/
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-02-25
modified: 2024-07-12
tags:
- attack.execution
- attack.stealth
- attack.t1564
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|contains: ':\Users\Public\'
selection_child:
- Image|endswith:
- '\bitsadmin.exe'
- '\certutil.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
- CommandLine|contains:
- 'bitsadmin'
- 'certutil'
- 'cscript'
- 'mshta'
- 'powershell'
- 'regsvr32'
- 'rundll32'
- 'wscript'
condition: all of selection_*
falsepositives:
- Unknown
level: high
high
PowerShell Logging Disabled Via Registry Key Tampering
Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging
status testauthor frack113id fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7
view Sigma YAML
title: PowerShell Logging Disabled Via Registry Key Tampering
id: fecfd1a1-cc78-4313-a1ea-2ee2e8ec27a7
status: test
description: Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-32---windows-powershell-logging-disabled
author: frack113
date: 2022-04-02
modified: 2023-08-17
tags:
- attack.stealth
- attack.defense-impairment
- attack.t1564.001
- attack.t1112
- attack.persistence
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\Microsoft\Windows\PowerShell\' # PowerShell 5
- '\Microsoft\PowerShellCore\' # PowerShell 7
TargetObject|endswith:
- '\ModuleLogging\EnableModuleLogging'
- '\ScriptBlockLogging\EnableScriptBlockLogging'
- '\ScriptBlockLogging\EnableScriptBlockInvocationLogging'
- '\Transcription\EnableTranscripting'
- '\Transcription\EnableInvocationHeader'
- '\EnableScripts'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_powershell_logging_disabled/info.yml
simulation:
- type: atomic-red-team
name: Disable PowerShell Logging via Registry
technique: T1112
atomic_guid: 95b25212-91a7-42ff-9613-124aca6845a8
high
PrintBrm ZIP Creation of Extraction
Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.
status testauthor frack113id cafeeba3-01da-4ab4-b6c4-a31b1d9730c7
view Sigma YAML
title: PrintBrm ZIP Creation of Extraction
id: cafeeba3-01da-4ab4-b6c4-a31b1d9730c7
status: test
description: Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.
references:
- https://lolbas-project.github.io/lolbas/Binaries/PrintBrm/
author: frack113
date: 2022-05-02
tags:
- attack.command-and-control
- attack.stealth
- attack.t1105
- attack.t1564.004
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\PrintBrm.exe'
CommandLine|contains|all:
- ' -f'
- '.zip'
condition: selection
falsepositives:
- Unknown
level: high
high
Registry Persistence via Service in Safe Mode
Detects the modification of the registry to allow a driver or service to persist in Safe Mode.
status testauthor frack113id 1547e27c-3974-43e2-a7d7-7f484fb928ec
view Sigma YAML
title: Registry Persistence via Service in Safe Mode
id: 1547e27c-3974-43e2-a7d7-7f484fb928ec
status: test
description: Detects the modification of the registry to allow a driver or service to persist in Safe Mode.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network
author: frack113
date: 2022-04-04
modified: 2025-10-22
tags:
- attack.stealth
- attack.t1564.001
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\Control\SafeBoot\Minimal\'
- '\Control\SafeBoot\Network\'
TargetObject|endswith: '\(Default)'
Details: 'Service'
filter_optional_sophos:
Image: 'C:\WINDOWS\system32\msiexec.exe'
TargetObject|endswith:
- '\Control\SafeBoot\Minimal\SAVService\(Default)'
- '\Control\SafeBoot\Network\SAVService\(Default)'
filter_optional_mbamservice:
Image|endswith: '\MBAMInstallerService.exe'
TargetObject|endswith: '\MBAMService\(Default)'
Details: 'Service'
filter_optional_hexnode:
Image: 'C:\Hexnode\Hexnode Agent\Current\HexnodeAgent.exe'
TargetObject|endswith:
- '\Control\SafeBoot\Minimal\Hexnode Updater\(Default)'
- '\Control\SafeBoot\Network\Hexnode Updater\(Default)'
- '\Control\SafeBoot\Minimal\Hexnode Agent\(Default)'
- '\Control\SafeBoot\Network\Hexnode Agent\(Default)'
Details: 'Service'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode/info.yml
simulation:
- type: atomic-red-team
name: Windows Add Registry Value to Load Service in Safe Mode without Network
technique: T1112
atomic_guid: 1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5
- type: atomic-red-team
name: Windows Add Registry Value to Load Service in Safe Mode with Network
technique: T1112
atomic_guid: c173c948-65e5-499c-afbe-433722ed5bd4
high
Run PowerShell Script from ADS
Detects PowerShell script execution from Alternate Data Stream (ADS)
status testauthor Sergey Soldatov, Kaspersky Lab, oscd.communityid 45a594aa-1fbd-4972-a809-ff5a99dd81b8
view Sigma YAML
title: Run PowerShell Script from ADS
id: 45a594aa-1fbd-4972-a809-ff5a99dd81b8
status: test
description: Detects PowerShell script execution from Alternate Data Stream (ADS)
references:
- https://github.com/p0shkatz/Get-ADS/blob/1c3a3562e713c254edce1995a7d9879c687c7473/Get-ADS.ps1
author: Sergey Soldatov, Kaspersky Lab, oscd.community
date: 2019-10-30
modified: 2022-07-14
tags:
- attack.stealth
- attack.t1564.004
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\powershell.exe'
- '\pwsh.exe'
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains|all:
- 'Get-Content'
- '-Stream'
condition: selection
falsepositives:
- Unknown
level: high
high
Set Suspicious Files as System Files Using Attrib.EXE
Detects the usage of attrib with the "+s" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs
status testauthor Nasreddine Bencherchali (Nextron Systems)id efec536f-72e8-4656-8960-5e85d091345b
view Sigma YAML
title: Set Suspicious Files as System Files Using Attrib.EXE
id: efec536f-72e8-4656-8960-5e85d091345b
related:
- id: bb19e94c-59ae-4c15-8c12-c563d23fe52b
type: derived
status: test
description: |
Detects the usage of attrib with the "+s" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs
references:
- https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4
- https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0
- https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-28
modified: 2023-03-14
tags:
- attack.stealth
- attack.t1564.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\attrib.exe'
- OriginalFileName: 'ATTRIB.EXE'
selection_cli:
CommandLine|contains: ' +s'
selection_paths:
CommandLine|contains:
- ' %' # Custom Environment variable
- '\Users\Public\'
- '\AppData\Local\'
- '\ProgramData\'
- '\Downloads\'
- '\Windows\Temp\'
selection_ext:
CommandLine|contains:
- '.bat'
- '.dll'
- '.exe'
- '.hta'
- '.ps1'
- '.vbe'
- '.vbs'
filter_optional_installer:
CommandLine|contains|all:
- '\Windows\TEMP\'
- '.exe'
condition: all of selection* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: high
high
Suspicious Creation with Colorcpl
Once executed, colorcpl.exe will copy the arbitrary file to c:\windows\system32\spool\drivers\color\
status testauthor frack113id e15b518d-b4ce-4410-a9cd-501f23ce4a18
view Sigma YAML
title: Suspicious Creation with Colorcpl
id: e15b518d-b4ce-4410-a9cd-501f23ce4a18
status: test
description: Once executed, colorcpl.exe will copy the arbitrary file to c:\windows\system32\spool\drivers\color\
references:
- https://twitter.com/eral4m/status/1480468728324231172?s=20
author: frack113
date: 2022-01-21
modified: 2023-01-05
tags:
- attack.stealth
- attack.t1564
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '\colorcpl.exe'
filter_ext:
TargetFilename|endswith:
- '.icm'
- '.gmmp'
- '.cdmp'
- '.camp'
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: high
high
Suspicious Executable File Creation
Detect creation of suspicious executable file names.
Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.
status testauthor frack113id 74babdd6-a758-4549-9632-26535279e654
view Sigma YAML
title: Suspicious Executable File Creation
id: 74babdd6-a758-4549-9632-26535279e654
status: test
description: |
Detect creation of suspicious executable file names.
Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.
references:
- https://medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae
- https://app.any.run/tasks/76c69e2d-01e8-49d9-9aea-fb7cc0c4d3ad/
author: frack113
date: 2022-09-05
modified: 2023-12-11
tags:
- attack.stealth
- attack.t1564
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- ':\$Recycle.Bin.exe'
- ':\Documents and Settings.exe'
- ':\MSOCache.exe'
- ':\PerfLogs.exe'
- ':\Recovery.exe'
- '.bat.exe'
- '.sys.exe'
condition: selection
falsepositives:
- Unknown
level: high
high
Suspicious File Download From File Sharing Websites - File Stream
Detects the download of suspicious file type from a well-known file and paste sharing domain
status testauthor Florian Roth (Nextron Systems)id 52182dfb-afb7-41db-b4bc-5336cb29b464
view Sigma YAML
title: Suspicious File Download From File Sharing Websites - File Stream
id: 52182dfb-afb7-41db-b4bc-5336cb29b464
related:
- id: ae02ed70-11aa-4a22-b397-c0d0e8f6ea99
type: similar
status: test
description: Detects the download of suspicious file type from a well-known file and paste sharing domain
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015
- https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
- https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/
- https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
author: Florian Roth (Nextron Systems)
date: 2022-08-24
modified: 2025-12-10
tags:
- attack.stealth
- attack.s0139
- attack.t1564.004
logsource:
product: windows
category: create_stream_hash
detection:
selection_domain:
Contents|contains:
- '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea)
- 'anonfiles.com'
- 'cdn.discordapp.com'
- 'ddns.net'
- 'dl.dropboxusercontent.com'
- 'ghostbin.co'
- 'github.com'
- 'glitch.me'
- 'gofile.io'
- 'hastebin.com'
- 'mediafire.com'
- 'mega.nz'
- 'onrender.com'
- 'pages.dev'
- 'paste.ee'
- 'pastebin.com'
- 'pastebin.pl'
- 'pastetext.net'
- 'pixeldrain.com'
- 'privatlab.com'
- 'privatlab.net'
- 'send.exploit.in'
- 'sendspace.com'
- 'storage.googleapis.com'
- 'storjshare.io'
- 'supabase.co'
- 'temp.sh'
- 'transfer.sh'
- 'trycloudflare.com'
- 'ufile.io'
- 'w3spaces.com'
- 'workers.dev'
selection_extension:
TargetFilename|contains:
- '.cpl:Zone'
- '.dll:Zone'
- '.exe:Zone'
- '.hta:Zone'
- '.lnk:Zone'
- '.one:Zone'
- '.vbe:Zone'
- '.vbs:Zone'
- '.xll:Zone'
condition: all of selection_*
falsepositives:
- Some false positives might occur with binaries download via Github
level: high
high
Sysmon Configuration Error
Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages
status testauthor frack113id 815cd91b-7dbc-4247-841a-d7dd1392b0a8
view Sigma YAML
title: Sysmon Configuration Error
id: 815cd91b-7dbc-4247-841a-d7dd1392b0a8
status: test
description: Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
- https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html
author: frack113
date: 2021-06-04
modified: 2022-07-07
tags:
- attack.stealth
- attack.t1564
logsource:
product: windows
category: sysmon_error
detection:
selection_error:
Description|contains:
- 'Failed to open service configuration with error'
- 'Failed to connect to the driver to update configuration'
filter_generic_english:
Description|contains|all:
- 'Failed to open service configuration with error'
- 'Last error: The media is write protected.'
filter_by_errorcode:
Description|contains:
- 'Failed to open service configuration with error 19'
- 'Failed to open service configuration with error 93'
condition: selection_error and not 1 of filter*
falsepositives:
- Legitimate administrative action
level: high
high
Sysmon Configuration Modification
Detects when an attacker tries to hide from Sysmon by disabling or stopping it
status testauthor frack113id 1f2b5353-573f-4880-8e33-7d04dcf97744
view Sigma YAML
title: Sysmon Configuration Modification
id: 1f2b5353-573f-4880-8e33-7d04dcf97744
status: test
description: Detects when an attacker tries to hide from Sysmon by disabling or stopping it
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
- https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html
author: frack113
date: 2021-06-04
modified: 2022-08-02
tags:
- attack.stealth
- attack.t1564
logsource:
product: windows
category: sysmon_status
detection:
selection_stop:
State: Stopped
selection_conf:
- 'Sysmon config state changed'
filter:
State: Started
condition: 1 of selection_* and not filter
falsepositives:
- Legitimate administrative action
level: high
high
Unusual File Download from Direct IP Address
Detects the download of suspicious file type from URLs with IP
title: Unusual File Download from Direct IP Address
id: 025bd229-fd1f-4fdb-97ab-20006e1a5368
status: test
description: Detects the download of suspicious file type from URLs with IP
references:
- https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md
- https://labs.withsecure.com/publications/detecting-onenote-abuse
author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems)
date: 2022-09-07
modified: 2023-02-10
tags:
- attack.stealth
- attack.t1564.004
logsource:
product: windows
category: create_stream_hash
detection:
selection:
Contents|re: 'http[s]?://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
TargetFilename|contains:
- '.ps1:Zone'
- '.bat:Zone'
- '.exe:Zone'
- '.vbe:Zone'
- '.vbs:Zone'
- '.dll:Zone'
- '.one:Zone'
- '.cmd:Zone'
- '.hta:Zone'
- '.xll:Zone'
- '.lnk:Zone'
condition: selection
falsepositives:
- Unknown
level: high
medium
Cmd Launched with Hidden Start Flags to Suspicious Targets
Detects cmd.exe executing commands with the "start" utility using "/b" (no window) or "/min" (minimized) flags.
To reduce false positives from standard background tasks, detection is restricted to scenarios where the target is a known script extension or located in suspicious temporary/public directories.
This technique was observed in Chaos, DarkSide, and Emotet malware campaigns.
status experimentalauthor Vladan Sekulic, Swachchhanda Shrawan Poudel (Nextron Systems)id 5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d
view Sigma YAML
title: Cmd Launched with Hidden Start Flags to Suspicious Targets
id: 5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d
status: experimental
description: |
Detects cmd.exe executing commands with the "start" utility using "/b" (no window) or "/min" (minimized) flags.
To reduce false positives from standard background tasks, detection is restricted to scenarios where the target is a known script extension or located in suspicious temporary/public directories.
This technique was observed in Chaos, DarkSide, and Emotet malware campaigns.
references:
- https://www.fortinet.com/blog/threat-research/evolution-of-chaos-ransomware-faster-smarter-and-more-dangerous
- https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
- https://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/start
tags:
- attack.stealth
- attack.t1564.003
author: Vladan Sekulic, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-24
logsource:
category: process_creation
product: windows
detection:
selection_cmd_img:
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'Cmd.Exe'
selection_cmd_hidden_start_1:
CommandLine|contains|windash:
- 'start '
- 'start/b'
- 'start/min'
selection_cmd_hidden_start_2:
CommandLine|contains|windash:
- '/b '
- '/b"'
- '/min '
- '/min"'
selection_cli_uncommon_location:
CommandLine|contains:
- ':\Perflogs\'
- ':\Temp\'
- ':\Users\Default\'
- ':\Windows\Temp\'
- '\AppData\Roaming\'
- '\Contacts\'
- '\Documents\'
- '\Downloads\'
- '\Favorites\'
- '\Favourites\'
- '\inetpub\'
- '\Music\'
- '\Photos\'
- '\Temporary Internet\'
- '\Users\Public\'
- '\Videos\'
selection_cli_susp_extension:
CommandLine|contains:
- '.bat'
- '.cmd'
- '.cpl'
- '.hta'
- '.js'
- '.ps1'
- '.scr'
- '.vbe'
- '.vbs'
selection_cli_susp_pattern:
CommandLine|contains:
- ' -nop '
- ' -sta '
- '.downloadfile(' # PowerShell download command
- '.downloadstring(' # PowerShell download command
- '-noni '
- '-w hidden '
condition: all of selection_cmd_* and 1 of selection_cli_*
falsepositives:
- Legitimate administrative scripts running from temporary folders.
- Niche software updaters utilizing hidden batch files in ProgramData.
level: medium # Can be increased after an initial baseline and tuning
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cmd_launched_with_hidden_start_flag/info.yml
medium
CrashControl CrashDump Disabled
Detects disabling the CrashDump per registry (as used by HermeticWiper)
status testauthor Tobias Michalski (Nextron Systems)id 2ff692c2-4594-41ec-8fcb-46587de769e0
view Sigma YAML
title: CrashControl CrashDump Disabled
id: 2ff692c2-4594-41ec-8fcb-46587de769e0
status: test
description: Detects disabling the CrashDump per registry (as used by HermeticWiper)
references:
- https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
author: Tobias Michalski (Nextron Systems)
date: 2022-02-24
modified: 2023-08-17
tags:
- attack.persistence
- attack.stealth
- attack.defense-impairment
- attack.t1564
- attack.t1112
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains: 'SYSTEM\CurrentControlSet\Control\CrashControl'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Legitimate disabling of crashdumps
level: medium
medium
Displaying Hidden Files Feature Disabled
Detects modifications to the "Hidden" and "ShowSuperHidden" explorer registry values in order to disable showing of hidden files and system files.
This technique is abused by several malware families to hide their files from normal users.
status testauthor frack113id 5a5152f1-463f-436b-b2f5-8eceb3964b42
view Sigma YAML
title: Displaying Hidden Files Feature Disabled
id: 5a5152f1-463f-436b-b2f5-8eceb3964b42
status: test
description: |
Detects modifications to the "Hidden" and "ShowSuperHidden" explorer registry values in order to disable showing of hidden files and system files.
This technique is abused by several malware families to hide their files from normal users.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-8---hide-files-through-registry
author: frack113
date: 2022-04-02
modified: 2024-03-26
tags:
- attack.stealth
- attack.t1564.001
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith:
- '\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden'
- '\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unknown
level: medium
medium
Execute From Alternate Data Streams
Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection
status testauthor frack113id 7f43c430-5001-4f8b-aaa9-c3b88f18fa5c
view Sigma YAML
title: Execute From Alternate Data Streams
id: 7f43c430-5001-4f8b-aaa9-c3b88f18fa5c
status: test
description: Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md
author: frack113
date: 2021-09-01
modified: 2022-10-09
tags:
- attack.stealth
- attack.t1564.004
logsource:
category: process_creation
product: windows
detection:
selection_stream:
CommandLine|contains: 'txt:'
selection_tools_type:
CommandLine|contains|all:
- 'type '
- ' > '
selection_tools_makecab:
CommandLine|contains|all:
- 'makecab '
- '.cab'
selection_tools_reg:
CommandLine|contains|all:
- 'reg '
- ' export '
selection_tools_regedit:
CommandLine|contains|all:
- 'regedit '
- ' /E '
selection_tools_esentutl:
CommandLine|contains|all:
- 'esentutl '
- ' /y '
- ' /d '
- ' /o '
condition: selection_stream and (1 of selection_tools_*)
falsepositives:
- Unknown
level: medium
medium
Hidden Executable In NTFS Alternate Data Stream
Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash
status testauthor Florian Roth (Nextron Systems), @0xrawsecid b69888d4-380c-45ce-9cf9-d9ce46e67821
view Sigma YAML
title: Hidden Executable In NTFS Alternate Data Stream
id: b69888d4-380c-45ce-9cf9-d9ce46e67821
status: test
description: Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash
references:
- https://twitter.com/0xrawsec/status/1002478725605273600?s=21
author: Florian Roth (Nextron Systems), @0xrawsec
date: 2018-06-03
modified: 2023-02-10
tags:
- attack.stealth
- attack.s0139
- attack.t1564.004
logsource:
product: windows
category: create_stream_hash
definition: 'Requirements: Sysmon or equivalent configured with Imphash logging'
detection:
selection:
Hash|contains: 'IMPHASH='
filter_main_null:
Hash|contains: 'IMPHASH=00000000000000000000000000000000'
condition: selection and not 1 of filter_main_*
falsepositives:
- This rule isn't looking for any particular binary characteristics. As legitimate installers and programs were seen embedding hidden binaries in their ADS. Some false positives are expected from browser processes and similar.
level: medium
medium
Hidden Flag Set On File/Directory Via Chflags - MacOS
Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS.
When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers.
status testauthor Omar Khaled (@beacon_exe)id 3b2c1059-ae5f-40b6-b5d4-6106d3ac20fe
view Sigma YAML
title: Hidden Flag Set On File/Directory Via Chflags - MacOS
id: 3b2c1059-ae5f-40b6-b5d4-6106d3ac20fe
status: test
description: |
Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS.
When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers.
references:
- https://www.sentinelone.com/labs/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/
- https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/
- https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf
- https://ss64.com/mac/chflags.html
author: Omar Khaled (@beacon_exe)
date: 2024-08-21
tags:
- attack.credential-access
- attack.command-and-control
- attack.stealth
- attack.t1218
- attack.t1564.004
- attack.t1552.001
- attack.t1105
logsource:
product: macos
category: process_creation
detection:
selection:
Image|endswith: '/chflags'
CommandLine|contains: 'hidden '
condition: selection
falsepositives:
- Legitimate usage of chflags by administrators and users.
level: medium
medium
Hidden User Creation
Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option
status testauthor Daniil Yugoslavskiy, oscd.communityid b22a5b36-2431-493a-8be1-0bae56c28ef3
view Sigma YAML
title: Hidden User Creation
id: b22a5b36-2431-493a-8be1-0bae56c28ef3
status: test
description: Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.002/T1564.002.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-10
modified: 2021-11-27
tags:
- attack.stealth
- attack.t1564.002
logsource:
category: process_creation
product: macos
detection:
dscl_create:
Image|endswith: '/dscl'
CommandLine|contains: 'create'
id_below_500:
CommandLine|contains: UniqueID
CommandLine|re: '([0-9]|[1-9][0-9]|[1-4][0-9]{2})'
ishidden_option_declaration:
CommandLine|contains: 'IsHidden'
ishidden_option_confirmation:
CommandLine|contains:
- 'true'
- 'yes'
- '1'
condition: dscl_create and id_below_500 or dscl_create and (ishidden_option_declaration and ishidden_option_confirmation)
falsepositives:
- Legitimate administration activities
level: medium
medium
Hiding Files with Attrib.exe
Detects usage of attrib.exe to hide files from users.
status testauthor Sami Ruohonenid 4281cb20-2994-4580-aa63-c8b86d019934
view Sigma YAML
title: Hiding Files with Attrib.exe
id: 4281cb20-2994-4580-aa63-c8b86d019934
status: test
description: Detects usage of attrib.exe to hide files from users.
references:
- https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/
- https://www.uptycs.com/blog/lolbins-are-no-laughing-matter
author: Sami Ruohonen
date: 2019-01-16
modified: 2023-03-14
tags:
- attack.stealth
- attack.t1564.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\attrib.exe'
- OriginalFileName: 'ATTRIB.EXE'
selection_cli:
CommandLine|contains: ' +h '
filter_main_msiexec:
CommandLine|contains: '\desktop.ini '
filter_optional_intel:
ParentImage|endswith: '\cmd.exe'
CommandLine: '+R +H +S +A \\\*.cui'
ParentCommandLine: 'C:\\WINDOWS\\system32\\\*.bat'
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- IgfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe)
- Msiexec.exe hiding desktop.ini
level: medium
medium
Hiding User Account Via SpecialAccounts Registry Key - CommandLine
Detects changes to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.
status testauthor @Kostastsale, TheDFIRReportid 9ec9fb1b-e059-4489-9642-f270c207923d
view Sigma YAML
title: Hiding User Account Via SpecialAccounts Registry Key - CommandLine
id: 9ec9fb1b-e059-4489-9642-f270c207923d
related:
- id: f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd
type: similar
status: test
description: |
Detects changes to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.
references:
- https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/
- https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/
- https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/
- https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
author: '@Kostastsale, TheDFIRReport'
date: 2022-05-14
modified: 2024-08-23
tags:
- attack.stealth
- attack.t1564.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\reg.exe'
CommandLine|contains|all:
- '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList'
- 'add'
- '/v'
- '/d 0'
condition: selection
falsepositives:
- System administrator activities
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_registry_special_accounts_hide_user/info.yml
medium
Mount Execution With Hidepid Parameter
Detects execution of the "mount" command with "hidepid" parameter to make invisible processes to other users from the system
status testauthor Joseliyo Sanchez, @Joseliyo_Jstnkid ec52985a-d024-41e3-8ff6-14169039a0b3
view Sigma YAML
title: Mount Execution With Hidepid Parameter
id: ec52985a-d024-41e3-8ff6-14169039a0b3
status: test
description: Detects execution of the "mount" command with "hidepid" parameter to make invisible processes to other users from the system
references:
- https://blogs.blackberry.com/
- https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/
- https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-01-12
tags:
- attack.credential-access
- attack.stealth
- attack.t1564
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/mount'
CommandLine|contains|all:
- 'hidepid=2'
- ' -o '
condition: selection
falsepositives:
- Unknown
level: medium
medium
PUA - AdvancedRun Execution
Detects the execution of AdvancedRun utility
status testauthor Florian Roth (Nextron Systems)id d2b749ee-4225-417e-b20e-a8d2193cbb84
Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc).
Process Hacker is a tool to view and manipulate processes, kernel options and other low level options.
Threat actors abused older vulnerable versions to manipulate system processes.
status testauthor Florian Roth (Nextron Systems)id 811e0002-b13b-4a15-9d00-a613fce66e42
view Sigma YAML
title: PUA - Process Hacker Execution
id: 811e0002-b13b-4a15-9d00-a613fce66e42
related:
- id: 5722dff1-4bdd-4949-86ab-fbaf707e767a
type: similar
status: test
description: |
Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc).
Process Hacker is a tool to view and manipulate processes, kernel options and other low level options.
Threat actors abused older vulnerable versions to manipulate system processes.
references:
- https://processhacker.sourceforge.io/
- https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/
author: Florian Roth (Nextron Systems)
date: 2022-10-10
modified: 2024-11-23
tags:
- attack.discovery
- attack.persistence
- attack.privilege-escalation
- attack.stealth
- attack.t1622
- attack.t1564
- attack.t1543
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|contains: '\ProcessHacker_'
- Image|endswith: '\ProcessHacker.exe'
- OriginalFileName:
- 'ProcessHacker.exe'
- 'Process Hacker'
- Description: 'Process Hacker'
- Product: 'Process Hacker'
- Hashes|contains:
- 'MD5=68F9B52895F4D34E74112F3129B3B00D'
- 'MD5=B365AF317AE730A67C936F21432B9C71'
- 'SHA1=A0BDFAC3CE1880B32FF9B696458327CE352E3B1D'
- 'SHA1=C5E2018BF7C0F314FED4FD7FE7E69FA2E648359E'
- 'SHA256=D4A0FE56316A2C45B9BA9AC1005363309A3EDC7ACF9E4DF64D326A0FF273E80F'
- 'SHA256=BD2C2CF0631D881ED382817AFCCE2B093F4E412FFB170A719E2762F250ABFEA4'
- 'IMPHASH=3695333C60DEDECDCAFF1590409AA462'
- 'IMPHASH=04DE0AD9C37EB7BD52043D2ECAC958DF'
condition: selection
falsepositives:
- While sometimes 'Process Hacker is used by legitimate administrators, the execution of Process Hacker must be investigated and allowed on a case by case basis
level: medium
medium
PUA - System Informer Execution
Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations
status testauthor Florian Roth (Nextron Systems)id 5722dff1-4bdd-4949-86ab-fbaf707e767a
view Sigma YAML
title: PUA - System Informer Execution
id: 5722dff1-4bdd-4949-86ab-fbaf707e767a
related:
- id: 811e0002-b13b-4a15-9d00-a613fce66e42
type: similar
status: test
description: Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations
references:
- https://github.com/winsiderss/systeminformer
author: Florian Roth (Nextron Systems)
date: 2023-05-08
modified: 2024-11-23
tags:
- attack.persistence
- attack.privilege-escalation
- attack.discovery
- attack.stealth
- attack.t1082
- attack.t1564
- attack.t1543
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\SystemInformer.exe'
- OriginalFileName: 'SystemInformer.exe'
- Description: 'System Informer'
- Product: 'System Informer'
- Hashes|contains:
# Note: add other hashes as needed
# 3.0.11077.6550
- 'MD5=19426363A37C03C3ED6FEDF57B6696EC'
- 'SHA1=8B12C6DA8FAC0D5E8AB999C31E5EA04AF32D53DC'
- 'SHA256=8EE9D84DE50803545937A63C686822388A3338497CDDB660D5D69CF68B68F287'
- 'IMPHASH=B68908ADAEB5D662F87F2528AF318F12'
condition: selection
falsepositives:
- System Informer is regularly used legitimately by system administrators or developers. Apply additional filters accordingly
level: medium
medium
Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream
Detects the creation of hidden file/folder with the "::$index_allocation" stream. Which can be used as a technique to prevent access to folder and files from tooling such as "explorer.exe" and "powershell.exe"
status testauthor Scoubi (@ScoubiMtl)id a8f866e1-bdd4-425e-a27a-37619238d9c7
view Sigma YAML
title: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream
id: a8f866e1-bdd4-425e-a27a-37619238d9c7
related:
- id: 0900463c-b33b-49a8-be1d-552a3b553dae
type: similar
status: test
description: |
Detects the creation of hidden file/folder with the "::$index_allocation" stream. Which can be used as a technique to prevent access to folder and files from tooling such as "explorer.exe" and "powershell.exe"
references:
- https://twitter.com/pfiatde/status/1681977680688738305
- https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/
- https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/
- https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3
author: Scoubi (@ScoubiMtl)
date: 2023-10-09
tags:
- attack.stealth
- attack.t1564.004
logsource:
product: windows
category: file_event
detection:
selection:
# Note: Both Sysmon and ETW are unable to log the presence of such streams in the CommandLine. But EDRs such as Crowdstrike are able to use e.g. CMD console history. Users are advised to test this before usage
TargetFilename|contains: '::$index_allocation'
condition: selection
falsepositives:
- Unlikely
level: medium
medium
Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI
Detects command line containing reference to the "::$index_allocation" stream, which can be used as a technique to prevent access to folders or files from tooling such as "explorer.exe" or "powershell.exe"
status testauthor Nasreddine Bencherchali (Nextron Systems), Scoubi (@ScoubiMtl)id 0900463c-b33b-49a8-be1d-552a3b553dae
view Sigma YAML
title: Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI
id: 0900463c-b33b-49a8-be1d-552a3b553dae
related:
- id: a8f866e1-bdd4-425e-a27a-37619238d9c7
type: similar
status: test
description: |
Detects command line containing reference to the "::$index_allocation" stream, which can be used as a technique to prevent access to folders or files from tooling such as "explorer.exe" or "powershell.exe"
references:
- https://twitter.com/pfiatde/status/1681977680688738305
- https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/
- https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/
- https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3
author: Nasreddine Bencherchali (Nextron Systems), Scoubi (@ScoubiMtl)
date: 2023-10-09
tags:
- attack.stealth
- attack.t1564.004
logsource:
product: windows
category: process_creation
detection:
selection:
# Note: Both Sysmon and ETW are unable to log the presence of such stream in the CommandLine. But EDRs such as Crowdstrike are able to using for example CMD console history. Users are advised to test this before usage
CommandLine|contains: '::$index_allocation'
condition: selection
falsepositives:
- Unlikely
level: medium
medium
Potential Suspicious Activity Using SeCEdit
Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
status testauthor Janantha Marasingheid c2c76b77-32be-4d1f-82c9-7e544bdfe0eb
view Sigma YAML
title: Potential Suspicious Activity Using SeCEdit
id: c2c76b77-32be-4d1f-82c9-7e544bdfe0eb
status: test
description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
references:
- https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit
author: Janantha Marasinghe
date: 2022-11-18
modified: 2022-12-30
tags:
- attack.collection
- attack.discovery
- attack.persistence
- attack.credential-access
- attack.privilege-escalation
- attack.execution
- attack.stealth
- attack.defense-impairment
- attack.t1685.001
- attack.t1547.001
- attack.t1505.005
- attack.t1556.002
- attack.t1685
- attack.t1574.007
- attack.t1564.002
- attack.t1546.008
- attack.t1546.007
- attack.t1547.014
- attack.t1547.010
- attack.t1547.002
- attack.t1557
- attack.t1082
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\secedit.exe'
- OriginalFileName: 'SeCEdit'
selection_flags_discovery:
CommandLine|contains|all:
- '/export'
- '/cfg'
selection_flags_configure:
CommandLine|contains|all:
- '/configure'
- '/db'
# filter:
# SubjectUserName|endswith: '$' SubjectUserName is from event ID 4719 in the Windows Security log
condition: selection_img and (1 of selection_flags_*)
falsepositives:
- Legitimate administrative use
level: medium
medium
Powershell Executed From Headless ConHost Process
Detects the use of powershell commands from headless ConHost window.
The "--headless" flag hides the windows from the user upon execution.
status testauthor Matt Anderson (Huntress)id 056c7317-9a09-4bd4-9067-d051312752ea
view Sigma YAML
title: Powershell Executed From Headless ConHost Process
id: 056c7317-9a09-4bd4-9067-d051312752ea
related:
- id: 00ca75ab-d5ce-43be-b86c-55ff39c6abfc
type: derived
status: test
description: |
Detects the use of powershell commands from headless ConHost window.
The "--headless" flag hides the windows from the user upon execution.
references:
- https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software
author: Matt Anderson (Huntress)
date: 2024-07-23
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1059.003
- attack.t1564.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\conhost.exe'
- OriginalFileName: 'CONHOST.EXE'
selection_cli:
CommandLine|contains|all:
- '--headless'
- 'powershell'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_conhost_headless_powershell/info.yml
medium
Powershell Store File In Alternate Data Stream
Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.
status testauthor frack113id a699b30e-d010-46c8-bbd1-ee2e26765fe9
view Sigma YAML
title: Powershell Store File In Alternate Data Stream
id: a699b30e-d010-46c8-bbd1-ee2e26765fe9
status: test
description: Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md
author: frack113
date: 2021-09-02
modified: 2022-12-25
tags:
- attack.stealth
- attack.t1564.004
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_compspec:
ScriptBlockText|contains|all:
- 'Start-Process'
- '-FilePath "$env:comspec" '
- '-ArgumentList '
- '>'
condition: selection_compspec
falsepositives:
- Unknown
level: medium
medium
Remote File Download Via Findstr.EXE
Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry.
title: Remote File Download Via Findstr.EXE
id: 587254ee-a24b-4335-b3cd-065c0f1f4baa
related:
- id: bf6c39fc-e203-45b9-9538-05397c1b4f3f
type: obsolete
status: test
description: |
Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Findstr/
- https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems)
date: 2020-10-05
modified: 2024-03-05
tags:
- attack.credential-access
- attack.command-and-control
- attack.stealth
- attack.t1218
- attack.t1564.004
- attack.t1552.001
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
selection_findstr:
- CommandLine|contains: findstr
- Image|endswith: 'findstr.exe'
- OriginalFileName: 'FINDSTR.EXE'
selection_cli_download_1:
CommandLine|contains|windash: ' -v '
selection_cli_download_2:
CommandLine|contains|windash: ' -l '
selection_cli_download_3:
CommandLine|contains: '\\\\'
condition: selection_findstr and all of selection_cli_download_*
falsepositives:
- Unknown
level: medium
medium
Suspicious Diantz Alternate Data Stream Execution
Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.
status testauthor frack113id 6b369ced-4b1d-48f1-b427-fdc0de0790bd
view Sigma YAML
title: Suspicious Diantz Alternate Data Stream Execution
id: 6b369ced-4b1d-48f1-b427-fdc0de0790bd
status: test
description: Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Diantz/
author: frack113
date: 2021-11-26
modified: 2022-12-31
tags:
- attack.stealth
- attack.t1564.004
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- diantz.exe
- .cab
CommandLine|re: ':[^\\]'
condition: selection
falsepositives:
- Very Possible
level: medium
medium
Suspicious Extrac32 Alternate Data Stream Execution
Extract data from cab file and hide it in an alternate data stream
status testauthor frack113id 4b13db67-0c45-40f1-aba8-66a1a7198a1e
view Sigma YAML
title: Suspicious Extrac32 Alternate Data Stream Execution
id: 4b13db67-0c45-40f1-aba8-66a1a7198a1e
status: test
description: Extract data from cab file and hide it in an alternate data stream
references:
- https://lolbas-project.github.io/lolbas/Binaries/Extrac32/
author: frack113
date: 2021-11-26
modified: 2022-12-30
tags:
- attack.stealth
- attack.t1564.004
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- extrac32.exe
- .cab
CommandLine|re: ':[^\\]'
condition: selection
falsepositives:
- Unknown
level: medium
medium
Suspicious Hyper-V Cmdlets
Adversaries may carry out malicious operations using a virtual instance to avoid detection
status testauthor frack113id 42d36aa1-3240-4db0-8257-e0118dcdd9cd
view Sigma YAML
title: Suspicious Hyper-V Cmdlets
id: 42d36aa1-3240-4db0-8257-e0118dcdd9cd
status: test
description: Adversaries may carry out malicious operations using a virtual instance to avoid detection
references:
- https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine
author: frack113
date: 2022-04-09
tags:
- attack.stealth
- attack.t1564.006
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- New-VM
- Set-VMFirmware
- Start-VM
condition: selection
falsepositives:
- Legitimate PowerShell scripts
level: medium
medium
Suspicious PowerShell WindowStyle Option
Adversaries may use hidden windows to conceal malicious activity from the plain sight of users.
In some cases, windows that would typically be displayed when an application carries out an operation can be hidden
status testauthor frack113, Tim Shelton (fp AWS)id 313fbb0a-a341-4682-848d-6d6f8c4fab7c
view Sigma YAML
title: Suspicious PowerShell WindowStyle Option
id: 313fbb0a-a341-4682-848d-6d6f8c4fab7c
status: test
description: |
Adversaries may use hidden windows to conceal malicious activity from the plain sight of users.
In some cases, windows that would typically be displayed when an application carries out an operation can be hidden
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.003/T1564.003.md
author: frack113, Tim Shelton (fp AWS)
date: 2021-10-20
modified: 2023-01-03
tags:
- attack.stealth
- attack.t1564.003
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'powershell'
- 'WindowStyle'
- 'Hidden'
filter:
ScriptBlockText|contains|all:
- ':\Program Files\Amazon\WorkSpacesConfig\Scripts\'
- '$PSScriptRoot\Module\WorkspaceScriptModule\WorkspaceScriptModule'
condition: selection and not filter
falsepositives:
- Unknown
level: medium
medium
Unusual File Download From File Sharing Websites - File Stream
Detects the download of suspicious file type from a well-known file and paste sharing domain
status testauthor Florian Roth (Nextron Systems)id ae02ed70-11aa-4a22-b397-c0d0e8f6ea99
view Sigma YAML
title: Unusual File Download From File Sharing Websites - File Stream
id: ae02ed70-11aa-4a22-b397-c0d0e8f6ea99
related:
- id: 52182dfb-afb7-41db-b4bc-5336cb29b464
type: similar
status: test
description: Detects the download of suspicious file type from a well-known file and paste sharing domain
references:
- https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015
- https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
- https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
author: Florian Roth (Nextron Systems)
date: 2022-08-24
modified: 2025-12-10
tags:
- attack.stealth
- attack.s0139
- attack.t1564.004
logsource:
product: windows
category: create_stream_hash
detection:
selection_domain:
Contents|contains:
- '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea)
- 'anonfiles.com'
- 'cdn.discordapp.com'
- 'ddns.net'
- 'dl.dropboxusercontent.com'
- 'ghostbin.co'
- 'github.com'
- 'glitch.me'
- 'gofile.io'
- 'hastebin.com'
- 'mediafire.com'
- 'mega.nz'
- 'onrender.com'
- 'pages.dev'
- 'paste.ee'
- 'pastebin.com'
- 'pastebin.pl'
- 'pastetext.net'
- 'pixeldrain.com'
- 'privatlab.com'
- 'privatlab.net'
- 'send.exploit.in'
- 'sendspace.com'
- 'storage.googleapis.com'
- 'storjshare.io'
- 'supabase.co'
- 'temp.sh'
- 'transfer.sh'
- 'trycloudflare.com'
- 'ufile.io'
- 'w3spaces.com'
- 'workers.dev'
selection_extension:
TargetFilename|contains:
- '.bat:Zone'
- '.cmd:Zone'
- '.ps1:Zone'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
medium
Use Icacls to Hide File to Everyone
Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files
status testauthor frack113id 4ae81040-fc1c-4249-bfa3-938d260214d9
view Sigma YAML
title: Use Icacls to Hide File to Everyone
id: 4ae81040-fc1c-4249-bfa3-938d260214d9
status: test
description: Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files
references:
- https://app.any.run/tasks/1df999e6-1cb8-45e3-8b61-499d1b7d5a9b/
author: frack113
date: 2022-07-18
modified: 2024-04-29
tags:
- attack.stealth
- attack.t1564.001
logsource:
category: process_creation
product: windows
detection:
selection_icacls:
- OriginalFileName: 'iCACLS.EXE'
- Image|endswith: '\icacls.exe'
selection_cmd: # icacls "C:\Users\admin\AppData\Local\37f92fe8-bcf0-4ee0-b8ba-561f797f5696" /deny *S-1-1-0:(OI)(CI)(DE,DC)
CommandLine|contains|all:
- '/deny'
- '*S-1-1-0:'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
medium
Use NTFS Short Name in Command Line
Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection
status testauthor frack113, Nasreddine Bencherchali (Nextron Systems)id dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795
view Sigma YAML
title: Use NTFS Short Name in Command Line
id: dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795
related:
- id: 3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b
type: similar
status: test
description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection
references:
- https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)
- https://twitter.com/jonasLyk/status/1555914501802921984
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-05
modified: 2022-09-21
tags:
- attack.stealth
- attack.t1564.004
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- '~1.exe'
- '~1.bat'
- '~1.msi'
- '~1.vbe'
- '~1.vbs'
- '~1.dll'
- '~1.ps1'
- '~1.js'
- '~1.hta'
- '~2.exe'
- '~2.bat'
- '~2.msi'
- '~2.vbe'
- '~2.vbs'
- '~2.dll'
- '~2.ps1'
- '~2.js'
- '~2.hta'
filter:
- ParentImage|endswith:
- '\WebEx\WebexHost.exe'
- '\thor\thor64.exe'
- CommandLine|contains: 'C:\xampp\vcredist\VCREDI~1.EXE'
condition: selection and not filter
falsepositives:
- Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process.
level: medium
medium
Use NTFS Short Name in Image
Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection
status testauthor frack113, Nasreddine Bencherchali (Nextron Systems)id 3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b
view Sigma YAML
title: Use NTFS Short Name in Image
id: 3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b
related:
- id: dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795
type: similar
status: test
description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection
references:
- https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)
- https://twitter.com/jonasLyk/status/1555914501802921984
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-06
modified: 2023-07-20
tags:
- attack.stealth
- attack.t1564.004
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains:
- '~1.bat'
- '~1.dll'
- '~1.exe'
- '~1.hta'
- '~1.js'
- '~1.msi'
- '~1.ps1'
- '~1.tmp'
- '~1.vbe'
- '~1.vbs'
- '~2.bat'
- '~2.dll'
- '~2.exe'
- '~2.hta'
- '~2.js'
- '~2.msi'
- '~2.ps1'
- '~2.tmp'
- '~2.vbe'
- '~2.vbs'
filter_main_generic_parent:
ParentImage: 'C:\Windows\explorer.exe'
filter_optional_webex:
ParentImage|endswith: '\WebEx\WebexHost.exe'
filter_optional_thor:
ParentImage|endswith: '\thor\thor64.exe'
filter_optional_winzip:
Image: 'C:\PROGRA~1\WinZip\WZPREL~1.EXE'
filter_optional_vcred:
Image|endswith: '\VCREDI~1.EXE'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Software Installers
level: medium
medium
Use Short Name Path in Image
Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection
status testauthor frack113, Nasreddine Bencherchaliid a96970af-f126-420d-90e1-d37bf25e50e1
view Sigma YAML
title: Use Short Name Path in Image
id: a96970af-f126-420d-90e1-d37bf25e50e1
related:
- id: 349d891d-fef0-4fe4-bc53-eee623a15969
type: similar
status: test
description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection
references:
- https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)
- https://twitter.com/frack113/status/1555830623633375232
author: frack113, Nasreddine Bencherchali
date: 2022-08-07
modified: 2025-10-20
tags:
- attack.stealth
- attack.t1564.004
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains:
- '~1\'
- '~2\'
filter_main_system_process:
ParentImage:
- 'C:\Windows\System32\Dism.exe'
- 'C:\Windows\System32\cleanmgr.exe' # Spawns DismHost.exe with a shortened username (if too long)
filter_main_installers:
- Image|contains|all:
- '\AppData\'
- '\Temp\'
- Image|endswith:
- '~1\unzip.exe'
- '~1\7zG.exe'
filter_optional_webex:
ParentImage|endswith: '\WebEx\WebexHost.exe' # Spawns a shortened version of the CLI and Image processes
filter_optional_thor:
ParentImage|endswith: '\thor\thor64.exe'
filter_optional_installshield:
- Product: 'InstallShield (R)'
- Description: 'InstallShield (R) Setup Engine'
- Company: 'InstallShield Software Corporation'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process.
level: medium
low
Browser Execution In Headless Mode
Detects execution of Chromium based browser in headless mode
status testauthor Nasreddine Bencherchali (Nextron Systems)id ef9dcfed-690c-4c5d-a9d1-482cd422225c