Home/Sigma rules
Sigma

Sigma detection rules

7 rules indexed · SIEM-agnostic detection content
Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.
Severity critical high medium low all severities

Detection rules

7 shown of 7
critical
ProxyLogon MSExchange OabVirtualDirectory
Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invocation of Set-OabVirtualDirectory
status test author Florian Roth (Nextron Systems) id 550d3350-bb8a-4ff3-9533-2ba533f4a1c0
view Sigma YAML 
title: ProxyLogon MSExchange OabVirtualDirectory
id: 550d3350-bb8a-4ff3-9533-2ba533f4a1c0
status: test
description: Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invocation of Set-OabVirtualDirectory
references:
    - https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c
author: Florian Roth (Nextron Systems)
date: 2021-08-09
modified: 2023-01-23
tags:
    - attack.t1587.001
    - attack.resource-development
logsource:
    product: windows
    service: msexchange-management
detection:
    keywords_cmdlet:
        '|all':
            - 'OabVirtualDirectory'
            - ' -ExternalUrl '
    keywords_params:
        - 'eval(request'
        - 'http://f/<script'
        - '"unsafe"};'
        - 'function Page_Load()'
    condition: keywords_cmdlet and keywords_params
falsepositives:
    - Unlikely
level: critical
high
PUA - CsExec Execution
Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative
status test author Florian Roth (Nextron Systems) id d08a2711-ee8b-4323-bdec-b7d85e892b31
view Sigma YAML 
title: PUA - CsExec Execution
id: d08a2711-ee8b-4323-bdec-b7d85e892b31
status: test
description: Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative
references:
    - https://github.com/malcomvetter/CSExec
    - https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/
author: Florian Roth (Nextron Systems)
date: 2022-08-22
modified: 2023-02-21
tags:
    - attack.resource-development
    - attack.t1587.001
    - attack.execution
    - attack.t1569.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\csexec.exe'
    selection_pe:
        Description: 'csexec'
    condition: 1 of selection*
falsepositives:
    - Unknown
level: high
high
Potential Privilege Escalation To LOCAL SYSTEM
Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges
status test author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) id 207b0396-3689-42d9-8399-4222658efc99
view Sigma YAML 
title: Potential Privilege Escalation To LOCAL SYSTEM
id: 207b0396-3689-42d9-8399-4222658efc99
related:
    - id: 8834e2f7-6b4b-4f09-8906-d2276470ee23 # PsExec specific rule
      type: similar
status: test
description: Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges
references:
    - https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
    - https://www.poweradmin.com/paexec/
    - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-05-22
modified: 2024-03-05
tags:
    - attack.resource-development
    - attack.t1587.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        # Escalation to LOCAL_SYSTEM
        CommandLine|contains|windash:
            # Note that you don't need to add the ".exe" part when using psexec/paexec
            # The "-" can also be replaced with "/"
            # The order of args isn't important
            # "cmd" can be replaced by "powershell", "pwsh" or any other console like software
            - ' -s cmd'
            - ' -s -i cmd'
            - ' -i -s cmd'
            # Pwsh (For PowerShell 7)
            - ' -s pwsh'
            - ' -s -i pwsh'
            - ' -i -s pwsh'
            # PowerShell (For PowerShell 5)
            - ' -s powershell'
            - ' -s -i powershell'
            - ' -i -s powershell'
    filter_main_exclude_coverage:
        # This filter exclude strings covered by 8834e2f7-6b4b-4f09-8906-d2276470ee23
        CommandLine|contains:
            - 'paexec'
            - 'PsExec'
            - 'accepteula'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Weird admins that rename their tools
    - Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing
level: high
high
Potential PsExec Remote Execution
Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility
status test author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) id ea011323-7045-460b-b2d7-0f7442ea6b38
view Sigma YAML 
title: Potential PsExec Remote Execution
id: ea011323-7045-460b-b2d7-0f7442ea6b38
status: test
description: Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility
references:
    - https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
    - https://www.poweradmin.com/paexec/
    - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2023-02-28
modified: 2025-09-01
tags:
    - attack.resource-development
    - attack.t1587.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        # Accepting EULA in commandline - often used in automated attacks
        CommandLine|contains|all:
            - 'accepteula'
            - ' -u '
            - ' -p '
            - ' \\\\'
    filter_main_localhost:
        CommandLine|contains:
            - '\\\\localhost'
            - '\\\\127.'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high
high
PsExec/PAExec Escalation to LOCAL SYSTEM
Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights
status test author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) id 8834e2f7-6b4b-4f09-8906-d2276470ee23
view Sigma YAML 
title: PsExec/PAExec Escalation to LOCAL SYSTEM
id: 8834e2f7-6b4b-4f09-8906-d2276470ee23
related:
    - id: 207b0396-3689-42d9-8399-4222658efc99 # Generic rule based on similar cli flags
      type: similar
status: test
description: Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights
references:
    - https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
    - https://www.poweradmin.com/paexec/
    - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2021-11-23
modified: 2024-03-05
tags:
    - attack.resource-development
    - attack.t1587.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_sys: # Escalation to LOCAL_SYSTEM
        CommandLine|contains|windash:
            # Note that you don't need to add the ".exe" part when using psexec/paexec
            # The "-" can also be replaced with "/"
            # The order of args isn't important
            # "cmd" can be replaced by "powershell", "pwsh" or any other console like software
            - ' -s cmd'
            - ' -s -i cmd'
            - ' -i -s cmd'
            # Pwsh (For PowerShell 7)
            - ' -s pwsh'
            - ' -s -i pwsh'
            - ' -i -s pwsh'
            # PowerShell (For PowerShell 5)
            - ' -s powershell'
            - ' -s -i powershell'
            - ' -i -s powershell'
    selection_other:
        CommandLine|contains:
            - 'psexec'
            - 'paexec'
            - 'accepteula'
    condition: all of selection_*
falsepositives:
    - Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare)
    - Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension
level: high
high
Uncommon File Created In Office Startup Folder
Detects the creation of a file with an uncommon extension in an Office application startup folder
status test author frack113, Nasreddine Bencherchali (Nextron Systems) id a10a2c40-2c4d-49f8-b557-1a946bc55d9d
view Sigma YAML 
title: Uncommon File Created In Office Startup Folder
id: a10a2c40-2c4d-49f8-b557-1a946bc55d9d
status: test
description: Detects the creation of a file with an uncommon extension in an Office application startup folder
references:
    - https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/
    - http://addbalance.com/word/startup.htm
    - https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3
    - https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-05
modified: 2023-12-13
tags:
    - attack.resource-development
    - attack.t1587.001
logsource:
    product: windows
    category: file_event
detection:
    selection_word_paths:
        - TargetFilename|contains: '\Microsoft\Word\STARTUP'
        - TargetFilename|contains|all:
              - '\Office'
              - '\Program Files'
              - '\STARTUP'
    filter_exclude_word_ext:
        TargetFilename|endswith:
            - '.docb' # Word binary document introduced in Microsoft Office 2007
            - '.docm' # Word macro-enabled document; same as docx, but may contain macros and scripts
            - '.docx' # Word document
            - '.dotm' # Word macro-enabled template; same as dotx, but may contain macros and scripts
            - '.mdb' # MS Access DB
            - '.mdw' # MS Access DB
            - '.pdf' # PDF documents
            - '.wll' # Word add-in
            - '.wwl' # Word add-in
    selection_excel_paths:
        - TargetFilename|contains: '\Microsoft\Excel\XLSTART'
        - TargetFilename|contains|all:
              - '\Office'
              - '\Program Files'
              - '\XLSTART'
    filter_exclude_excel_ext:
        TargetFilename|endswith:
            - '.xll'
            - '.xls'
            - '.xlsm'
            - '.xlsx'
            - '.xlt'
            - '.xltm'
            - '.xlw'
    filter_main_office_click_to_run:
        Image|contains: ':\Program Files\Common Files\Microsoft Shared\ClickToRun\'
        Image|endswith: '\OfficeClickToRun.exe'
    filter_main_office_apps:
        Image|contains:
            - ':\Program Files\Microsoft Office\'
            - ':\Program Files (x86)\Microsoft Office\'
        Image|endswith:
            - '\winword.exe'
            - '\excel.exe'
    condition: ((selection_word_paths and not filter_exclude_word_ext) or (selection_excel_paths and not filter_exclude_excel_ext)) and not 1 of filter_main_*
falsepositives:
    - False positive might stem from rare extensions used by other Office utilities.
level: high
medium
VHD Image Download Via Browser
Detects creation of ".vhd"/".vhdx" files by browser processes. Malware can use mountable Virtual Hard Disk ".vhd" files to encapsulate payloads and evade security controls.
status test author frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' id 8468111a-ef07-4654-903b-b863a80bbc95
view Sigma YAML 
title: VHD Image Download Via Browser
id: 8468111a-ef07-4654-903b-b863a80bbc95
status: test
description: |
    Detects creation of ".vhd"/".vhdx" files by browser processes.
    Malware can use mountable Virtual Hard Disk ".vhd" files to encapsulate payloads and evade security controls.
references:
    - https://redcanary.com/blog/intelligence-insights-october-2021/
    - https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/
    - https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
date: 2021-10-25
modified: 2023-05-05
tags:
    - attack.resource-development
    - attack.t1587.001
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith:
            - '\brave.exe'
            - '\chrome.exe'
            - '\firefox.exe'
            - '\iexplore.exe'
            - '\maxthon.exe'
            - '\MicrosoftEdge.exe'
            - '\msedge.exe'
            - '\msedgewebview2.exe'
            - '\opera.exe'
            - '\safari.exe'
            - '\seamonkey.exe'
            - '\vivaldi.exe'
            - '\whale.exe'
        # We don't use "endswith" to also match with ADS logs and ".vhdx". Example: "TargetFilename: C:\Users\xxx\Downloads\windows.vhd:Zone.Identifier"
        TargetFilename|contains: '.vhd'
    condition: selection
falsepositives:
    - Legitimate downloads of ".vhd" files would also trigger this
level: medium
Showing 1-7 of 7
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin