Home/Sigma rules
Sigma

Sigma detection rules

8 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

8 shown of 8
high
File Download with Headless Browser
Detects execution of chromium based browser in headless mode using the "dump-dom" command line to download files
status test author Sreeman, Florian Roth (Nextron Systems) id 0e8cfe08-02c9-4815-a2f8-0d157b7ed33e
view Sigma YAML 
title: File Download with Headless Browser
id: 0e8cfe08-02c9-4815-a2f8-0d157b7ed33e
related:
    - id: ef9dcfed-690c-4c5d-a9d1-482cd422225c
      type: derived
status: test
description: Detects execution of chromium based browser in headless mode using the "dump-dom" command line to download files
references:
    - https://twitter.com/mrd0x/status/1478234484881436672?s=12
    - https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html
author: Sreeman, Florian Roth (Nextron Systems)
date: 2022-01-04
modified: 2025-10-07
tags:
    - attack.command-and-control
    - attack.stealth
    - attack.t1105
    - attack.t1564.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\brave.exe'
            - '\chrome.exe'
            - '\msedge.exe'
            - '\opera.exe'
            - '\vivaldi.exe'
        CommandLine|contains|all:
            - '--headless'
            - 'dump-dom'
            - 'http'
    filter_optional_edge_1:
        Image|startswith:
            - 'C:\Program Files (x86)\Microsoft\Edge\Application\'
            - 'C:\Program Files (x86)\Microsoft\EdgeCore\'
            - 'C:\Program Files (x86)\Microsoft\EdgeWebView\'
            - 'C:\Program Files\Microsoft\Edge\Application\'
            - 'C:\Program Files\Microsoft\EdgeCore\'
            - 'C:\Program Files\Microsoft\EdgeWebView\'
            - 'C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge'
        Image|endswith:
            - '\msedge.exe'
            - '\msedgewebview2.exe'
            - '\MicrosoftEdge.exe'
        CommandLine|contains: '--headless --disable-gpu --disable-extensions --disable-plugins --mute-audio --no-first-run --incognito --aggressive-cache-discard --dump-dom'
    filter_optional_edge_2:
        Image|contains:
            - '\AppData\Local\Microsoft\WindowsApps\'
            - '\Windows\SystemApps\Microsoft.MicrosoftEdge'
        Image|endswith:
            - '\msedge.exe'
            - '\MicrosoftEdge.exe'
        CommandLine|contains: '--headless --disable-gpu --disable-extensions --disable-plugins --mute-audio --no-first-run --incognito --aggressive-cache-discard --dump-dom'
    condition: selection and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_file_download/info.yml
high
HackTool - Covenant PowerShell Launcher
Detects suspicious command lines used in Covenant luanchers
status test author Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community id c260b6db-48ba-4b4a-a76f-2f67644e99d2
view Sigma YAML 
title: HackTool - Covenant PowerShell Launcher
id: c260b6db-48ba-4b4a-a76f-2f67644e99d2
status: test
description: Detects suspicious command lines used in Covenant luanchers
references:
    - https://posts.specterops.io/covenant-v0-5-eee0507b85ba
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
date: 2020-06-04
modified: 2023-02-21
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.001
    - attack.t1564.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_1:
        CommandLine|contains|all:
            - '-Sta'
            - '-Nop'
            - '-Window'
            - 'Hidden'
        CommandLine|contains:
            - '-Command'
            - '-EncodedCommand'
    selection_2:
        CommandLine|contains:
            - 'sv o (New-Object IO.MemorySteam);sv d '
            - 'mshta file.hta'
            - 'GruntHTTP'
            - '-EncodedCommand cwB2ACAAbwAgA'
    condition: 1 of selection_*
level: high
high
Potential Data Stealing Via Chromium Headless Debugging
Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control
status test author Nasreddine Bencherchali (Nextron Systems) id 3e8207c5-fcd2-4ea6-9418-15d45b4890e4
view Sigma YAML 
title: Potential Data Stealing Via Chromium Headless Debugging
id: 3e8207c5-fcd2-4ea6-9418-15d45b4890e4
related:
    - id: b3d34dc5-2efd-4ae3-845f-8ec14921f449
      type: derived
status: test
description: Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control
references:
    - https://github.com/defaultnamehere/cookie_crimes/
    - https://mango.pdf.zone/stealing-chrome-cookies-without-a-password
    - https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/
    - https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-23
tags:
    - attack.credential-access
    - attack.collection
    - attack.stealth
    - attack.t1185
    - attack.t1564.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - '--remote-debugging-' # Covers: --remote-debugging-address, --remote-debugging-port, --remote-debugging-socket-name, --remote-debugging-pipe....etc
            - '--user-data-dir'
            - '--headless'
    condition: selection
falsepositives:
    - Unknown
level: high
medium
Cmd Launched with Hidden Start Flags to Suspicious Targets
Detects cmd.exe executing commands with the "start" utility using "/b" (no window) or "/min" (minimized) flags. To reduce false positives from standard background tasks, detection is restricted to scenarios where the target is a known script extension or located in suspicious temporary/public directories. This technique was observed in Chaos, DarkSide, and Emotet malware campaigns.
status experimental author Vladan Sekulic, Swachchhanda Shrawan Poudel (Nextron Systems) id 5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d
view Sigma YAML 
title: Cmd Launched with Hidden Start Flags to Suspicious Targets
id: 5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d
status: experimental
description: |
    Detects cmd.exe executing commands with the "start" utility using "/b" (no window) or "/min" (minimized) flags.
    To reduce false positives from standard background tasks, detection is restricted to scenarios where the target is a known script extension or located in suspicious temporary/public directories.
    This technique was observed in Chaos, DarkSide, and Emotet malware campaigns.
references:
    - https://www.fortinet.com/blog/threat-research/evolution-of-chaos-ransomware-faster-smarter-and-more-dangerous
    - https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
    - https://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/start
tags:
    - attack.stealth
    - attack.t1564.003
author: Vladan Sekulic, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-24
logsource:
    category: process_creation
    product: windows
detection:
    selection_cmd_img:
        - Image|endswith: '\cmd.exe'
        - OriginalFileName: 'Cmd.Exe'
    selection_cmd_hidden_start_1:
        CommandLine|contains|windash:
            - 'start '
            - 'start/b'
            - 'start/min'
    selection_cmd_hidden_start_2:
        CommandLine|contains|windash:
            - '/b '
            - '/b"'
            - '/min '
            - '/min"'
    selection_cli_uncommon_location:
        CommandLine|contains:
            - ':\Perflogs\'
            - ':\Temp\'
            - ':\Users\Default\'
            - ':\Windows\Temp\'
            - '\AppData\Roaming\'
            - '\Contacts\'
            - '\Documents\'
            - '\Downloads\'
            - '\Favorites\'
            - '\Favourites\'
            - '\inetpub\'
            - '\Music\'
            - '\Photos\'
            - '\Temporary Internet\'
            - '\Users\Public\'
            - '\Videos\'
    selection_cli_susp_extension:
        CommandLine|contains:
            - '.bat'
            - '.cmd'
            - '.cpl'
            - '.hta'
            - '.js'
            - '.ps1'
            - '.scr'
            - '.vbe'
            - '.vbs'
    selection_cli_susp_pattern:
        CommandLine|contains:
            - ' -nop '
            - ' -sta '
            - '.downloadfile(' # PowerShell download command
            - '.downloadstring(' # PowerShell download command
            - '-noni '
            - '-w hidden '
    condition: all of selection_cmd_* and 1 of selection_cli_*
falsepositives:
    - Legitimate administrative scripts running from temporary folders.
    - Niche software updaters utilizing hidden batch files in ProgramData.
level: medium # Can be increased after an initial baseline and tuning
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cmd_launched_with_hidden_start_flag/info.yml
medium
PUA - AdvancedRun Execution
Detects the execution of AdvancedRun utility
status test author Florian Roth (Nextron Systems) id d2b749ee-4225-417e-b20e-a8d2193cbb84
view Sigma YAML 
title: PUA - AdvancedRun Execution
id: d2b749ee-4225-417e-b20e-a8d2193cbb84
related:
    - id: fa00b701-44c6-4679-994d-5a18afa8a707
      type: similar
status: test
description: Detects the execution of AdvancedRun utility
references:
    - https://twitter.com/splinter_code/status/1483815103279603714
    - https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3
    - https://www.elastic.co/security-labs/operation-bleeding-bear
    - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
author: Florian Roth (Nextron Systems)
date: 2022-01-20
modified: 2023-02-21
tags:
    - attack.execution
    - attack.privilege-escalation
    - attack.stealth
    - attack.t1564.003
    - attack.t1134.002
    - attack.t1059.003
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        - OriginalFileName: 'AdvancedRun.exe'
        - CommandLine|contains|all:
              - ' /EXEFilename '
              - ' /Run'
        - CommandLine|contains|all:
              - ' /WindowState 0'
              - ' /RunAs '
              - ' /CommandLine '
    condition: selection
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_advancedrun/info.yml
medium
Powershell Executed From Headless ConHost Process
Detects the use of powershell commands from headless ConHost window. The "--headless" flag hides the windows from the user upon execution.
status test author Matt Anderson (Huntress) id 056c7317-9a09-4bd4-9067-d051312752ea
view Sigma YAML 
title: Powershell Executed From Headless ConHost Process
id: 056c7317-9a09-4bd4-9067-d051312752ea
related:
    - id: 00ca75ab-d5ce-43be-b86c-55ff39c6abfc
      type: derived
status: test
description: |
    Detects the use of powershell commands from headless ConHost window.
    The "--headless" flag hides the windows from the user upon execution.
references:
    - https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software
author: Matt Anderson (Huntress)
date: 2024-07-23
tags:
    - attack.execution
    - attack.stealth
    - attack.t1059.001
    - attack.t1059.003
    - attack.t1564.003
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\conhost.exe'
        - OriginalFileName: 'CONHOST.EXE'
    selection_cli:
        CommandLine|contains|all:
            - '--headless'
            - 'powershell'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_conhost_headless_powershell/info.yml
medium
Suspicious PowerShell WindowStyle Option
Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden
status test author frack113, Tim Shelton (fp AWS) id 313fbb0a-a341-4682-848d-6d6f8c4fab7c
view Sigma YAML 
title: Suspicious PowerShell WindowStyle Option
id: 313fbb0a-a341-4682-848d-6d6f8c4fab7c
status: test
description: |
    Adversaries may use hidden windows to conceal malicious activity from the plain sight of users.
    In some cases, windows that would typically be displayed when an application carries out an operation can be hidden
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.003/T1564.003.md
author: frack113, Tim Shelton (fp AWS)
date: 2021-10-20
modified: 2023-01-03
tags:
    - attack.stealth
    - attack.t1564.003
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'powershell'
            - 'WindowStyle'
            - 'Hidden'
    filter:
        ScriptBlockText|contains|all:
            - ':\Program Files\Amazon\WorkSpacesConfig\Scripts\'
            - '$PSScriptRoot\Module\WorkspaceScriptModule\WorkspaceScriptModule'
    condition: selection and not filter
falsepositives:
    - Unknown
level: medium
low
Browser Execution In Headless Mode
Detects execution of Chromium based browser in headless mode
status test author Nasreddine Bencherchali (Nextron Systems) id ef9dcfed-690c-4c5d-a9d1-482cd422225c
view Sigma YAML 
title: Browser Execution In Headless Mode
id: ef9dcfed-690c-4c5d-a9d1-482cd422225c
related:
    - id: 0e8cfe08-02c9-4815-a2f8-0d157b7ed33e
      type: derived
status: test
description: Detects execution of Chromium based browser in headless mode
references:
    - https://twitter.com/mrd0x/status/1478234484881436672?s=12
    - https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-12
tags:
    - attack.command-and-control
    - attack.stealth
    - attack.t1105
    - attack.t1564.003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\brave.exe'
            - '\chrome.exe'
            - '\msedge.exe'
            - '\opera.exe'
            - '\vivaldi.exe'
        CommandLine|contains: '--headless'
    condition: selection
falsepositives:
    - Unknown
level: low
Showing 1-8 of 8
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin