Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Detects a suspicious child process of a Microsoft HTML Help (HH.exe)
status testauthor Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems)id 52cad028-0ff0-4854-8f67-d25dfcbc78b4
view Sigma YAML
title: HTML Help HH.EXE Suspicious Child Process
id: 52cad028-0ff0-4854-8f67-d25dfcbc78b4
status: test
description: Detects a suspicious child process of a Microsoft HTML Help (HH.exe)
references:
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/
- https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7
- https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
- https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37
author: Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems)
date: 2020-04-01
modified: 2023-04-12
tags:
- attack.execution
- attack.initial-access
- attack.stealth
- attack.t1047
- attack.t1059.001
- attack.t1059.003
- attack.t1059.005
- attack.t1059.007
- attack.t1218
- attack.t1218.001
- attack.t1218.010
- attack.t1218.011
- attack.t1566
- attack.t1566.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\hh.exe'
Image|endswith:
- '\CertReq.exe'
- '\CertUtil.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\installutil.exe'
- '\MSbuild.exe'
- '\MSHTA.EXE'
- '\msiexec.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\schtasks.exe'
- '\wmic.exe'
- '\wscript.exe'
condition: selection
falsepositives:
- Unknown
level: high
high
ISO File Created Within Temp Folders
Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.
status testauthor @sam0x90id 2f9356ae-bf43-41b8-b858-4496d83b2acb
view Sigma YAML
title: ISO File Created Within Temp Folders
id: 2f9356ae-bf43-41b8-b858-4496d83b2acb
status: test
description: Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.
references:
- https://twitter.com/Sam0x90/status/1552011547974696960
- https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html
- https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image
author: '@sam0x90'
date: 2022-07-30
tags:
- attack.initial-access
- attack.t1566.001
logsource:
category: file_event
product: windows
detection:
selection_1:
TargetFilename|contains|all:
- '\AppData\Local\Temp\'
- '.zip\'
TargetFilename|endswith: '.iso'
selection_2:
TargetFilename|contains: '\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\'
TargetFilename|endswith: '.iso'
condition: 1 of selection*
falsepositives:
- Potential FP by sysadmin opening a zip file containing a legitimate ISO file
level: high
high
Office Macro File Creation From Suspicious Process
Detects the creation of a office macro file from a a suspicious process
status testauthor frack113, Nasreddine Bencherchali (Nextron Systems)id b1c50487-1967-4315-a026-6491686d860e
view Sigma YAML
title: Office Macro File Creation From Suspicious Process
id: b1c50487-1967-4315-a026-6491686d860e
status: test
description: Detects the creation of a office macro file from a a suspicious process
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md
- https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-23
modified: 2023-02-22
tags:
- attack.initial-access
- attack.t1566.001
logsource:
category: file_event
product: windows
definition: 'Requirements: The "ParentImage" field is not available by default on EID 11 of Sysmon logs. To be able to use this rule to the full extent you need to enriche the log with additional ParentImage data'
detection:
selection_cmd:
- Image|endswith:
- '\cscript.exe'
- '\mshta.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
# Note: ParentImage is a custom field and is not available by default on Sysmon EID 11
- ParentImage|endswith:
- '\cscript.exe'
- '\mshta.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\wscript.exe'
selection_ext:
TargetFilename|endswith:
- '.docm'
- '.dotm'
- '.xlsm'
- '.xltm'
- '.potm'
- '.pptm'
condition: all of selection_*
falsepositives:
- Unknown
level: high
high
Okta FastPass Phishing Detection
Detects when Okta FastPass prevents a known phishing site.
status testauthor Austin Songer @austinsongerid ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e
Password Protected ZIP File Opened (Email Attachment)
Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
status testauthor Florian Roth (Nextron Systems)id 571498c8-908e-40b4-910b-d2369159a3da
view Sigma YAML
title: Password Protected ZIP File Opened (Email Attachment)
id: 571498c8-908e-40b4-910b-d2369159a3da
status: test
description: Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
references:
- https://twitter.com/sbousseaden/status/1523383197513379841
author: Florian Roth (Nextron Systems)
date: 2022-05-09
tags:
- attack.initial-access
- attack.stealth
- attack.t1027
- attack.t1566.001
logsource:
product: windows
service: security
detection:
selection:
EventID: 5379
TargetName|contains|all:
- 'Microsoft_Windows_Shell_ZipFolder:filename'
- '\Temporary Internet Files\Content.Outlook'
condition: selection
falsepositives:
- Legitimate used of encrypted ZIP files
level: high
high
Phishing Pattern ISO in Archive
Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)
status testauthor Florian Roth (Nextron Systems)id fcdf69e5-a3d3-452a-9724-26f2308bf2b1
view Sigma YAML
title: Phishing Pattern ISO in Archive
id: fcdf69e5-a3d3-452a-9724-26f2308bf2b1
status: test
description: Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)
references:
- https://twitter.com/1ZRR4H/status/1534259727059787783
- https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/
author: Florian Roth (Nextron Systems)
date: 2022-06-07
tags:
- attack.initial-access
- attack.t1566
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\Winrar.exe'
- '\7zFM.exe'
- '\peazip.exe'
Image|endswith:
- '\isoburn.exe'
- '\PowerISO.exe'
- '\ImgBurn.exe'
condition: selection
falsepositives:
- Legitimate cases in which archives contain ISO or IMG files and the user opens the archive and the image via clicking and not extraction
level: high
high
Potential Malicious Usage of CloudTrail System Manager
Detect when System Manager successfully executes commands against an instance.
status testauthor jamesc-grafanaid 38e7f511-3f74-41d4-836e-f57dfa18eead
view Sigma YAML
title: Potential Malicious Usage of CloudTrail System Manager
id: 38e7f511-3f74-41d4-836e-f57dfa18eead
status: test
description: |
Detect when System Manager successfully executes commands against an instance.
references:
- https://github.com/elastic/detection-rules/blob/v8.6.0/rules/integrations/aws/initial_access_via_system_manager.toml
author: jamesc-grafana
date: 2024-07-11
modified: 2025-12-08
tags:
- attack.privilege-escalation
- attack.initial-access
- attack.t1566
- attack.t1566.002
logsource:
product: aws
service: cloudtrail
detection:
selection_event:
eventName: 'SendCommand'
eventSource: 'ssm.amazonaws.com'
selection_status_success:
errorCode: 'Success'
selection_status_null:
errorCode: null
condition: selection_event and 1 of selection_status_*
falsepositives:
- There are legitimate uses of SSM to send commands to EC2 instances
- Legitimate users may have to use SSM to perform actions against machines in the Cloud to update or maintain them
level: high
high
Suspicious Double Extension File Execution
Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns
Suspicious Execution From Outlook Temporary Folder
Detects a suspicious program execution in Outlook temp folder
status testauthor Florian Roth (Nextron Systems)id a018fdc3-46a3-44e5-9afb-2cd4af1d4b39
view Sigma YAML
title: Suspicious Execution From Outlook Temporary Folder
id: a018fdc3-46a3-44e5-9afb-2cd4af1d4b39
status: test
description: Detects a suspicious program execution in Outlook temp folder
author: Florian Roth (Nextron Systems)
references:
- Internal Research
date: 2019-10-01
modified: 2022-10-09
tags:
- attack.initial-access
- attack.t1566.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains: '\Temporary Internet Files\Content.Outlook\'
condition: selection
falsepositives:
- Unknown
level: high
high
Suspicious External WebDAV Execution
Detects executables launched from external WebDAV shares using the WebDAV Explorer integration, commonly seen in initial access campaigns.
status testauthor Ahmed Faroukid 1ae64f96-72b6-48b3-ad3d-e71dff6c6398
view Sigma YAML
title: Suspicious External WebDAV Execution
id: 1ae64f96-72b6-48b3-ad3d-e71dff6c6398
related:
- id: 4c55738d-72d8-490e-a2db-7969654e375f
type: similar
status: test
description: |
Detects executables launched from external WebDAV shares using the WebDAV Explorer integration, commonly seen in initial access campaigns.
references:
- https://dear-territory-023.notion.site/WebDav-Share-Testing-e4950fa0c00149c3aa430d779b9b1d0f?pvs=4
- https://micahbabinski.medium.com/search-ms-webdav-and-chill-99c5b23ac462
- https://www.trendmicro.com/en_no/research/24/b/cve202421412-water-hydra-targets-traders-with-windows-defender-s.html
- https://www.trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html
author: Ahmed Farouk
date: 2024-05-10
tags:
- attack.initial-access
- attack.resource-development
- attack.t1584
- attack.t1566
logsource:
category: proxy
detection:
selection_webdav:
c-useragent|startswith: 'Microsoft-WebDAV-MiniRedir/'
cs-method: 'GET'
selection_execution:
c-uri|endswith:
- '.7z'
- '.bat'
- '.dat'
- '.cmd'
- '.exe'
- '.js'
- '.lnk'
- '.ps1'
- '.rar'
- '.url'
- '.vbe'
- '.vbs'
- '.zip'
filter_main_local_ips:
dst_ip|cidr:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '169.254.0.0/16'
- '::1/128' # IPv6 loopback
- 'fe80::/10' # IPv6 link-local addresses
- 'fc00::/7' # IPv6 private addresses
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
high
Suspicious File Created in Outlook Temporary Directory
Detects the creation of files with suspicious file extensions in the temporary directory that Outlook uses when opening attachments.
This can be used to detect spear-phishing campaigns that use suspicious files as attachments, which may contain malicious code.
title: Suspicious File Created in Outlook Temporary Directory
id: fabb0e80-030c-4e3e-a104-d09676991ac3
related:
- id: f748c45a-f8d3-4e6f-b617-fe176f695b8f
type: obsolete
status: experimental
description: |
Detects the creation of files with suspicious file extensions in the temporary directory that Outlook uses when opening attachments.
This can be used to detect spear-phishing campaigns that use suspicious files as attachments, which may contain malicious code.
references:
- https://vipre.com/blog/svg-phishing-attacks-the-new-trick-in-the-cybercriminals-playbook/
- https://thecyberexpress.com/rogue-rdp-files-used-in-ukraine-cyberattacks/
- https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/
author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-22
tags:
- attack.initial-access
- attack.t1566.001
logsource:
product: windows
category: file_event
detection:
selection_extension:
TargetFilename|endswith:
- '.cpl'
- '.hta'
- '.iso'
- '.rdp'
- '.svg'
- '.vba'
- '.vbe'
- '.vbs'
selection_location:
- TargetFilename|contains:
- '\AppData\Local\Packages\Microsoft.Outlook_'
- '\AppData\Local\Microsoft\Olk\Attachments\'
- TargetFilename|contains|all:
- '\AppData\Local\Microsoft\Windows\'
- '\Content.Outlook\'
condition: all of selection_*
falsepositives:
- Opening of headers or footers in email signatures that include SVG images or legitimate SVG attachments
level: high
high
Suspicious HH.EXE Execution
Detects a suspicious execution of a Microsoft HTML Help (HH.exe)
status testauthor Maxim Pavluninid e8a95b5e-c891-46e2-b33a-93937d3abc31
Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation
status testauthor Florian Roth (Nextron Systems)id 023394c4-29d5-46ab-92b8-6a534c6f447b
view Sigma YAML
title: Suspicious HWP Sub Processes
id: 023394c4-29d5-46ab-92b8-6a534c6f447b
status: test
description: Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation
references:
- https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/
- https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1
- https://twitter.com/cyberwar_15/status/1187287262054076416
- https://blog.alyac.co.kr/1901
- https://en.wikipedia.org/wiki/Hangul_(word_processor)
author: Florian Roth (Nextron Systems)
date: 2019-10-24
modified: 2021-11-27
tags:
- attack.initial-access
- attack.t1566.001
- attack.execution
- attack.t1203
- attack.t1059.003
- attack.g0032
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\Hwp.exe'
Image|endswith: '\gbb.exe'
condition: selection
falsepositives:
- Unknown
level: high
high
Suspicious Microsoft OneNote Child Process
Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.
status testauthor Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea)id c27515df-97a9-4162-8a60-dc0eeb51b775
Arbitrary Shell Command Execution Via Settingcontent-Ms
The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.
status testauthor Sreemanid 24de4f3b-804c-4165-b442-5a06a2302c7e
view Sigma YAML
title: Arbitrary Shell Command Execution Via Settingcontent-Ms
id: 24de4f3b-804c-4165-b442-5a06a2302c7e
status: test
description: The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.
references:
- https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39
author: Sreeman
date: 2020-03-13
modified: 2022-04-14
tags:
- attack.t1204
- attack.t1566.001
- attack.execution
- attack.initial-access
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: '.SettingContent-ms'
filter:
CommandLine|contains: 'immersivecontrolpanel'
condition: selection and not filter
falsepositives:
- Unknown
level: medium
medium
Disk Image Mounting Via Hdiutil - MacOS
Detects the execution of the hdiutil utility in order to mount disk images.
status testauthor Omar Khaled (@beacon_exe)id bf241472-f014-4f01-a869-96f99330ca8c
view Sigma YAML
title: Disk Image Mounting Via Hdiutil - MacOS
id: bf241472-f014-4f01-a869-96f99330ca8c
status: test
description: Detects the execution of the hdiutil utility in order to mount disk images.
references:
- https://www.loobins.io/binaries/hdiutil/
- https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/
- https://ss64.com/mac/hdiutil.html
author: Omar Khaled (@beacon_exe)
date: 2024-08-10
tags:
- attack.initial-access
- attack.collection
- attack.t1566.001
- attack.t1560.001
logsource:
product: macos
category: process_creation
detection:
selection:
Image|endswith: /hdiutil
CommandLine|contains:
- 'attach '
- 'mount '
condition: selection
falsepositives:
- Legitimate usage of hdiutil by administrators and users.
level: medium
medium
ISO Image Mounted
Detects the mount of an ISO image on an endpoint
status testauthor Syed Hasan (@syedhasan009)id 0248a7bc-8a9a-4cd8-a57e-3ae8e073a073
view Sigma YAML
title: ISO Image Mounted
id: 0248a7bc-8a9a-4cd8-a57e-3ae8e073a073
status: test
description: Detects the mount of an ISO image on an endpoint
references:
- https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore
- https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages
- https://twitter.com/MsftSecIntel/status/1257324139515269121
- https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image
author: Syed Hasan (@syedhasan009)
date: 2021-05-29
modified: 2023-11-09
tags:
- attack.initial-access
- attack.t1566.001
logsource:
product: windows
service: security
definition: 'The advanced audit policy setting "Object Access > Audit Removable Storage" must be configured for Success/Failure'
detection:
selection:
EventID: 4663
ObjectServer: 'Security'
ObjectType: 'File'
ObjectName|startswith: '\Device\CdRom'
filter_main_generic:
ObjectName:
- '\Device\CdRom0\autorun.ico'
- '\Device\CdRom0\setup.exe'
- '\Device\CdRom0\setup64.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Software installation ISO files
level: medium
medium
ISO or Image Mount Indicator in Recent Files
Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks.
This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.
status testauthor Florian Roth (Nextron Systems)id 4358e5a5-7542-4dcb-b9f3-87667371839b
view Sigma YAML
title: ISO or Image Mount Indicator in Recent Files
id: 4358e5a5-7542-4dcb-b9f3-87667371839b
status: test
description: |
Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks.
This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.
references:
- https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/
- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore
- https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/
- https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/
author: Florian Roth (Nextron Systems)
date: 2022-02-11
tags:
- attack.initial-access
- attack.t1566.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- '.iso.lnk'
- '.img.lnk'
- '.vhd.lnk'
- '.vhdx.lnk'
TargetFilename|contains: '\Microsoft\Windows\Recent\'
condition: selection
falsepositives:
- Cases in which a user mounts an image file for legitimate reasons
level: medium
medium
Potential Initial Access via DLL Search Order Hijacking
Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.
status testauthor Tim Rauch (rule), Elastic (idea)id dbbd9f66-2ed3-4ca2-98a4-6ea985dd1a1c
view Sigma YAML
title: Potential Initial Access via DLL Search Order Hijacking
id: dbbd9f66-2ed3-4ca2-98a4-6ea985dd1a1c
status: test
description: Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.
references:
- https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc
- https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0
author: Tim Rauch (rule), Elastic (idea)
date: 2022-10-21
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1566
- attack.t1566.001
- attack.initial-access
- attack.t1574
- attack.t1574.001
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
# add more processes when you find them
- '\winword.exe'
- '\excel.exe'
- '\powerpnt.exe'
- '\MSACCESS.EXE'
- '\MSPUB.EXE'
- '\fltldr.exe'
- '\cmd.exe'
- '\certutil.exe'
- '\mshta.exe'
- '\cscript.exe'
- '\wscript.exe'
- '\curl.exe'
- '\powershell.exe'
- '\pwsh.exe'
TargetFilename|endswith: '.dll'
TargetFilename|contains|all:
- '\Users\'
- '\AppData\'
TargetFilename|contains:
# add more suspicious paths when you find them
- '\Microsoft\OneDrive\'
- '\Microsoft OneDrive\'
- '\Microsoft\Teams\'
- '\Local\slack\app-'
- '\Local\Programs\Microsoft VS Code\'
filter:
Image|endswith: '\cmd.exe'
TargetFilename|contains|all:
- '\Users\'
- '\AppData\'
- '\Microsoft\OneDrive\'
- '\api-ms-win-core-'
condition: selection and not filter
falsepositives:
- Unknown
level: medium
medium
Suspicious Email Delivered In Microsoft 365
Detects instances where an email, identified as malicious or suspicious by the Microsoft Defender for Office 365 (formerly ATP) engine, was delivered to a user's Inbox or Junk folder.
It might indicate that a potential threat, such as a spearphishing attachment or links, has bypassed initial blocking mechanisms and reached an end-user, requiring further investigation and potential remediation.
status experimentalauthor Marco Pedrinazzi (@pedrinazziM) (InTheCyber)id 3569aefd-e535-4391-8c18-24bd01a21eaf
view Sigma YAML
title: Suspicious Email Delivered In Microsoft 365
id: 3569aefd-e535-4391-8c18-24bd01a21eaf
status: experimental
description: |
Detects instances where an email, identified as malicious or suspicious by the Microsoft Defender for Office 365 (formerly ATP) engine, was delivered to a user's Inbox or Junk folder.
It might indicate that a potential threat, such as a spearphishing attachment or links, has bypassed initial blocking mechanisms and reached an end-user, requiring further investigation and potential remediation.
references:
- https://learn.microsoft.com/en-us/defender-office-365/threat-explorer-real-time-detections-about
- https://research.splunk.com/cloud/605cc93a-70e4-4ee3-9a3d-1a62e8c9b6c2/
- https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules/blob/e7250648cb16d4a497ae8737943bf010ea96d2e6/Defender%20For%20Cloud%20Apps/MaliciousEmailDeliveredInMailbox.md
author: Marco Pedrinazzi (@pedrinazziM) (InTheCyber)
date: 2026-01-27
tags:
- attack.initial-access
- attack.t1566.001
- attack.t1566.002
logsource:
service: audit
product: m365
detection:
selection:
Workload: 'ThreatIntelligence'
Operation: 'TIMailData'
Directionality: 'Inbound'
filter_main_blocked:
DeliveryAction: 'Blocked'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: medium
medium
Suspicious Execution via macOS Script Editor
Detects when the macOS Script Editor utility spawns an unusual child process.
status testauthor Tim Rauch (rule), Elastic (idea)id 6e4dcdd1-e48b-42f7-b2d8-3b413fc58cb4
Alerts on trust record modification within the registry, indicating usage of macros
status testauthor Antonlovesdnb, Trent Liffick (@tliffick)id 295a59c1-7b79-4b47-a930-df12c15fc9c2
view Sigma YAML
title: Windows Registry Trust Record Modification
id: 295a59c1-7b79-4b47-a930-df12c15fc9c2
related:
- id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd
type: similar
status: test
description: Alerts on trust record modification within the registry, indicating usage of macros
references:
- https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/
- http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html
- https://twitter.com/inversecos/status/1494174785621819397
author: Antonlovesdnb, Trent Liffick (@tliffick)
date: 2020-02-19
modified: 2023-06-21
tags:
- attack.initial-access
- attack.t1566.001
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains: '\Security\Trusted Documents\TrustRecords'
condition: selection
falsepositives:
- This will alert on legitimate macro usage as well, additional tuning is required
level: medium
low
Download From Suspicious TLD - Blacklist
Detects download of certain file types from hosts in suspicious TLDs
status testauthor Florian Roth (Nextron Systems)id 00d0b5ab-1f55-4120-8e83-487c0a7baf19
Detects executable downloads from suspicious remote systems
status testauthor Florian Roth (Nextron Systems)id b5de2919-b74a-4805-91a7-5049accbaefe
view Sigma YAML
title: Download From Suspicious TLD - Whitelist
id: b5de2919-b74a-4805-91a7-5049accbaefe
related:
- id: 00d0b5ab-1f55-4120-8e83-487c0a7baf19
type: similar
status: test
description: Detects executable downloads from suspicious remote systems
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2017-03-13
modified: 2023-05-18
tags:
- attack.initial-access
- attack.t1566
- attack.execution
- attack.t1203
- attack.t1204.002
logsource:
category: proxy
detection:
selection:
c-uri-extension:
- 'exe'
- 'vbs'
- 'bat'
- 'rar'
- 'ps1'
- 'doc'
- 'docm'
- 'xls'
- 'xlsm'
- 'pptm'
- 'rtf'
- 'hta'
- 'dll'
- 'ws'
- 'wsf'
- 'sct'
- 'zip'
# If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/
filter:
cs-host|endswith:
- '.com'
- '.org'
- '.net'
- '.edu'
- '.gov'
- '.uk'
- '.ca'
- '.de'
- '.jp'
- '.fr'
- '.au'
- '.us'
- '.ch'
- '.it'
- '.nl'
- '.se'
- '.no'
- '.es'
# Extend this list as needed
condition: selection and not filter
falsepositives:
- All kind of software downloads
level: low
low
Office Macro File Creation
Detects the creation of a new office macro files on the systems
status testauthor Nasreddine Bencherchali (Nextron Systems)id 91174a41-dc8f-401b-be89-7bfc140612a0
view Sigma YAML
title: Office Macro File Creation
id: 91174a41-dc8f-401b-be89-7bfc140612a0
related:
- id: 0e29e3a7-1ad8-40aa-b691-9f82ecd33d66
type: similar
status: test
description: Detects the creation of a new office macro files on the systems
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md
- https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-23
modified: 2026-01-09
tags:
- attack.initial-access
- attack.t1566.001
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith:
- '.docm'
- '.dotm'
- '.xlsm'
- '.xltm'
- '.potm'
- '.pptm'
filter_main_office:
Image|startswith:
- 'C:\Program Files\Microsoft Office\'
- 'C:\Program Files (x86)\Microsoft Office\'
Image|endswith:
- '\WINWORD.EXE'
- '\EXCEL.EXE'
- '\POWERPNT.EXE'
TargetFilename|contains: '\~$' # Temporary files created by Office applications
condition: selection and not 1 of filter_main_*
falsepositives:
- Very common in environments that rely heavily on macro documents
level: low
low
Office Macro File Download
Detects the creation of a new office macro files on the system via an application (browser, mail client).
This can help identify potential malicious activity, such as the download of macro-enabled documents that could be used for exploitation.
status testauthor Nasreddine Bencherchali (Nextron Systems)id 0e29e3a7-1ad8-40aa-b691-9f82ecd33d66
view Sigma YAML
title: Office Macro File Download
id: 0e29e3a7-1ad8-40aa-b691-9f82ecd33d66
related:
- id: 91174a41-dc8f-401b-be89-7bfc140612a0
type: similar
status: test
description: |
Detects the creation of a new office macro files on the system via an application (browser, mail client).
This can help identify potential malicious activity, such as the download of macro-enabled documents that could be used for exploitation.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md
- https://learn.microsoft.com/en-us/deployoffice/compat/office-file-format-reference
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-01-23
modified: 2025-10-29
tags:
- attack.initial-access
- attack.t1566.001
logsource:
category: file_event
product: windows
detection:
selection_processes:
Image|endswith:
# Email clients
- '\RuntimeBroker.exe' # Windows Email clients uses RuntimeBroker to create the files
- '\outlook.exe'
- '\thunderbird.exe'
# Browsers
- '\brave.exe'
- '\chrome.exe'
- '\firefox.exe'
- '\iexplore.exe'
- '\maxthon.exe'
- '\MicrosoftEdge.exe'
- '\msedge.exe'
- '\msedgewebview2.exe'
- '\opera.exe'
- '\safari.exe'
- '\seamonkey.exe'
- '\vivaldi.exe'
- '\whale.exe'
selection_ext:
- TargetFilename|endswith:
- '.docm'
- '.dotm'
- '.xlsm'
- '.xltm'
- '.potm'
- '.pptm'
- TargetFilename|contains:
- '.docm:Zone'
- '.dotm:Zone'
- '.xlsm:Zone'
- '.xltm:Zone'
- '.potm:Zone'
- '.pptm:Zone'
condition: all of selection_*
falsepositives:
- Legitimate macro files downloaded from the internet
- Legitimate macro files sent as attachments via emails
level: low