Sigma detection rules

Home/Sigma rules

Sigma

12 rules indexed · SIEM-agnostic detection content

Sigma is the open generic signature format for SIEM systems. Each rule below converts to native syntax for Splunk, Elastic, Sentinel, and other SIEMs. Expand any rule to see its raw YAML.

Severity critical high medium low all severities

◈

Detection rules

12 shown of 12

critical

Hacktool Execution - Imphash

Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed

status test author Florian Roth (Nextron Systems) id 24e3e58a-646b-4b50-adef-02ef935b9fc8

view Sigma YAML

title: Hacktool Execution - Imphash
id: 24e3e58a-646b-4b50-adef-02ef935b9fc8
status: test
description: Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed
references:
    - Internal Research
author: Florian Roth (Nextron Systems)
date: 2022-03-04
modified: 2024-11-23
tags:
    - attack.credential-access
    - attack.resource-development
    - attack.t1588.002
    - attack.t1003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Hashes|contains: # Sysmon field hashes contains all types
            - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam
            - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam
            - IMPHASH=bf6223a49e45d99094406777eb6004ba # PetitPotam
            - IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1 # JuicyPotato
            - IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC # JuicyPotato
            - IMPHASH=F9A28C458284584A93B14216308D31BD # JuicyPotatoNG
            - IMPHASH=6118619783FC175BC7EBECFF0769B46E # RoguePotato
            - IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA # RoguePotato
            - IMPHASH=563233BFA169ACC7892451F71AD5850A # RoguePotato
            - IMPHASH=87575CB7A0E0700EB37F2E3668671A08 # RoguePotato
            - IMPHASH=13F08707F759AF6003837A150A371BA1 # Pwdump
            - IMPHASH=1781F06048A7E58B323F0B9259BE798B # Pwdump
            - IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5 # Pwdump
            - IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D # Pwdump
            - IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2 # Pwdump
            - IMPHASH=713C29B396B907ED71A72482759ED757 # Pwdump
            - IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F # Pwdump
            - IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E # Pwdump
            - IMPHASH=8B114550386E31895DFAB371E741123D # Pwdump
            - IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793 # PwDumpX
            - IMPHASH=9D68781980370E00E0BD939EE5E6C141 # Pwdump
            - IMPHASH=B18A1401FF8F444056D29450FBC0A6CE # Pwdump
            - IMPHASH=CB567F9498452721D77A451374955F5F # Pwdump
            - IMPHASH=730073214094CD328547BF1F72289752 # Htran
            - IMPHASH=17B461A082950FC6332228572138B80C # Cobalt Strike beacons
            - IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9 # Cobalt Strike beacons
            - IMPHASH=819B19D53CA6736448F9325A85736792 # Cobalt Strike beacons
            - IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E # Cobalt Strike beacons
            - IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74 # PPLDump
            - IMPHASH=0588081AB0E63BA785938467E1B10CCA # PPLDump
            - IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C # NanoDump
            - IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29 # NanoDump
            - IMPHASH=4DA924CF622D039D58BCE71CDF05D242 # NanoDump
            - IMPHASH=E7A3A5C377E2D29324093377D7DB1C66 # NanoDump
            - IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF # NanoDump
            - IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE # NanoDump
            - IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4 # NanoDump
            - IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338 # NanoDump
            - IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E # NanoDump
            - IMPHASH=E6F9D5152DA699934B30DAAB206471F6 # NanoDump
            - IMPHASH=3AD59991CCF1D67339B319B15A41B35D # NanoDump
            - IMPHASH=FFDD59E0318B85A3E480874D9796D872 # NanoDump
            - IMPHASH=0CF479628D7CC1EA25EC7998A92F5051 # NanoDump
            - IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51 # NanoDump
            - IMPHASH=D6D0F80386E1380D05CB78E871BC72B1 # NanoDump
            - IMPHASH=38D9E015591BBFD4929E0D0F47FA0055 # HandleKatz
            - IMPHASH=0E2216679CA6E1094D63322E3412D650 # HandleKatz
            - IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB # DripLoader
            - IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798 # DripLoader
            - IMPHASH=11083E75553BAAE21DC89CE8F9A195E4 # DripLoader
            - IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80 # DripLoader
            - IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F # CreateMiniDump
            - IMPHASH=767637C23BB42CD5D7397CF58B0BE688 # UACMe Akagi
            - IMPHASH=14C4E4C72BA075E9069EE67F39188AD8 # UACMe Akagi
            - IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC # UACMe Akagi
            - IMPHASH=7D010C6BB6A3726F327F7E239166D127 # UACMe Akagi
            - IMPHASH=89159BA4DD04E4CE5559F132A9964EB3 # UACMe Akagi
            - IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F # UACMe Akagi
            - IMPHASH=5834ED4291BDEB928270428EBBAF7604 # UACMe Akagi
            - IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38 # UACMe Akagi
            - IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894 # UACMe Akagi
            - IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74 # UACMe Akagi
            - IMPHASH=3DE09703C8E79ED2CA3F01074719906B # UACMe Akagi
            - IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F # WCE
            - IMPHASH=E96A73C7BF33A464C510EDE582318BF2 # WCE
            - IMPHASH=32089B8851BBF8BC2D014E9F37288C83 # Sliver Stagers
            - IMPHASH=09D278F9DE118EF09163C6140255C690 # Dumpert
            - IMPHASH=03866661686829d806989e2fc5a72606 # Dumpert
            - IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d # Dumpert
            - IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte
            - IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet
            - IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook
            - IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313 # Forkatz
            - IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC # PPLKiller
            - IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28 # PPLKiller
            - IMPHASH=96DF3A3731912449521F6F8D183279B1 # Backstab
            - IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46 # Backstab
            - IMPHASH=51791678F351C03A0EB4E2A7B05C6E17 # Backstab
            - IMPHASH=25CE42B079282632708FC846129E98A5 # Forensia
            - IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20 # EDRSandBlast
            - IMPHASH=59223B5F52D8799D38E0754855CBDF42 # EDRSandBlast
            - IMPHASH=81E75D8F1D276C156653D3D8813E4A43 # EDRSandBlast
            - IMPHASH=17244E8B6B8227E57FE709CCAD421420 # EDRSandBlast
            - IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4 # EDRSandBlast
            - IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C # EDRSandBlast
            - IMPHASH=40445337761D80CF465136FAFB1F63E6 # EDRSandBlast
            - IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6 # EDRSilencer
            - IMPHASH=B50199E952C875241B9CE06C971CE3C1 # EventLogCrasher
    condition: selection
falsepositives:
    - Legitimate use of one of these tools
level: critical

high

Antivirus Relevant File Paths Alerts

Detects an Antivirus alert in a highly relevant file path or with a relevant file name. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.

status test author Florian Roth (Nextron Systems), Arnim Rupp id c9a88268-0047-4824-ba6e-4d81ce0b907c

view Sigma YAML

title: Antivirus Relevant File Paths Alerts
id: c9a88268-0047-4824-ba6e-4d81ce0b907c
status: test
description: |
    Detects an Antivirus alert in a highly relevant file path or with a relevant file name.
    This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
    - https://www.nextron-systems.com/?s=antivirus
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2018-09-09
modified: 2024-11-02
tags:
    - attack.resource-development
    - attack.t1588
logsource:
    category: antivirus
detection:
    selection_path:
        Filename|contains:
            - ':\PerfLogs\'
            - ':\Temp\'
            - ':\Users\Default\'
            - ':\Users\Public\'
            - ':\Windows\'
            - '/www/'
            # - '\Client\'
            - '\inetpub\'
            - '\tsclient\'
            - 'apache'
            - 'nginx'
            - 'tomcat'
            - 'weblogic'
    selection_ext:
        Filename|endswith:
            - '.asax'
            - '.ashx'
            - '.asmx'
            - '.asp'
            - '.aspx'
            - '.bat'
            - '.cfm'
            - '.cgi'
            - '.chm'
            - '.cmd'
            - '.dat'
            - '.ear'
            - '.gif'
            - '.hta'
            - '.jpeg'
            - '.jpg'
            - '.jsp'
            - '.jspx'
            - '.lnk'
            - '.msc'
            - '.php'
            - '.pl'
            - '.png'
            - '.ps1'
            - '.psm1'
            - '.py'
            - '.pyc'
            - '.rb'
            - '.scf'
            - '.sct'
            - '.sh'
            - '.svg'
            - '.txt'
            - '.vbe'
            - '.vbs'
            - '.war'
            - '.wll'
            - '.wsf'
            - '.wsh'
            - '.xll'
            - '.xml'
    condition: 1 of selection_*
falsepositives:
    - Unlikely
level: high

high

Hacktool Execution - PE Metadata

Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed

status test author Florian Roth (Nextron Systems) id 37c1333a-a0db-48be-b64b-7393b2386e3b

view Sigma YAML

title: Hacktool Execution - PE Metadata
id: 37c1333a-a0db-48be-b64b-7393b2386e3b
status: test
description: Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed
references:
    - https://github.com/cube0x0
    - https://www.virustotal.com/gui/search/metadata%253ACube0x0/files
author: Florian Roth (Nextron Systems)
date: 2022-04-27
modified: 2024-01-15
tags:
    - attack.credential-access
    - attack.resource-development
    - attack.t1588.002
    - attack.t1003
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Company: 'Cube0x0' # Detects the use of tools created by a well-known hacktool producer named "Cube0x0", which includes his handle in all binaries as company information in the PE headers (SharpPrintNightmare, KrbRelay, SharpMapExec, etc.)
    condition: selection
falsepositives:
    - Unlikely
level: high

high

Relevant Anti-Virus Signature Keywords In Application Log

Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.

status test author Florian Roth (Nextron Systems), Arnim Rupp id 78bc5783-81d9-4d73-ac97-59f6db4f72a8

view Sigma YAML

title: Relevant Anti-Virus Signature Keywords In Application Log
id: 78bc5783-81d9-4d73-ac97-59f6db4f72a8
status: test
description: |
    Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.
references:
    - https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31
    - https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed
    - https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01
    - https://www.nextron-systems.com/?s=antivirus
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2017-02-19
modified: 2024-12-25
tags:
    - attack.resource-development
    - attack.t1588
logsource:
    product: windows
    service: application
detection:
    keywords:
        - 'Adfind'
        - 'ASP/BackDoor '
        - 'ATK/'
        - 'Backdoor.ASP'
        - 'Backdoor.Cobalt'
        - 'Backdoor.JSP'
        - 'Backdoor.PHP'
        - 'Blackworm'
        - 'Brutel'
        - 'BruteR'
        - 'Chopper'
        - 'Cobalt'
        - 'COBEACON'
        - 'Cometer'
        - 'CRYPTES'
        - 'Cryptor'
        - 'Destructor'
        - 'DumpCreds'
        - 'Exploit.Script.CVE'
        - 'FastReverseProxy'
        - 'Filecoder'
        - 'GrandCrab '
        - 'HackTool'
        - 'HKTL'
        - 'HTool-'
        - '/HTool'
        - '.HTool'
        - 'IISExchgSpawnCMD'
        - 'Impacket'
        - 'JSP/BackDoor '
        - 'Keylogger'
        - 'Koadic'
        - 'Krypt'
        - 'Lazagne'
        - 'Metasploit'
        - 'Meterpreter'
        - 'MeteTool'
        - 'mikatz'
        - 'Mimikatz'
        - 'Mpreter'
        - 'MsfShell'
        - 'Nighthawk'
        - 'Packed.Generic.347'
        - 'PentestPowerShell'
        - 'Phobos'
        - 'PHP/BackDoor '
        - 'Potato'
        - 'PowerSploit'
        - 'PowerSSH'
        - 'PshlSpy'
        - 'PSWTool'
        - 'PWCrack'
        - 'PWDump'
        - 'Ransom'
        - 'Rozena'
        - 'Ryzerlo'
        - 'Sbelt'
        - 'Seatbelt'
        - 'SecurityTool '
        - 'SharpDump'
        - 'Shellcode'
        - 'Sliver'
        - 'Splinter'
        - 'Swrort'
        - 'Tescrypt'
        - 'TeslaCrypt'
        - 'TurtleLoader'
        - 'Valyria'
        - 'Webshell'
        # - 'FRP.'
        # - 'Locker'
        # - 'PWS.'
        # - 'PWSX'
        # - 'Razy'
        # - 'Ryuk'
    filter_optional_generic:
        - 'anti_ransomware_service.exe'
        - 'Anti-Ransomware'
        - 'Crack'
        - 'cyber-protect-service.exe'
        - 'encryptor'
        - 'Keygen'
    filter_optional_information:
        Level: 4  # Information level
    filter_optional_restartmanager:
        Provider_Name: 'Microsoft-Windows-RestartManager'
    condition: keywords and not 1 of filter_optional_*
falsepositives:
    - Some software piracy tools (key generators, cracks) are classified as hack tools
level: high

high

Relevant ClamAV Message

Detects relevant ClamAV messages

status stable author Florian Roth (Nextron Systems) id 36aa86ca-fd9d-4456-814e-d3b1b8e1e0bb

view Sigma YAML

title: Relevant ClamAV Message
id: 36aa86ca-fd9d-4456-814e-d3b1b8e1e0bb
status: stable
description: Detects relevant ClamAV messages
references:
    - https://github.com/ossec/ossec-hids/blob/1ecffb1b884607cb12e619f9ab3c04f530801083/etc/rules/clam_av_rules.xml
author: Florian Roth (Nextron Systems)
date: 2017-03-01
tags:
    - attack.resource-development
    - attack.t1588.001
logsource:
    product: linux
    service: clamav
detection:
    keywords:
        - 'Trojan*FOUND'
        - 'VirTool*FOUND'
        - 'Webshell*FOUND'
        - 'Rootkit*FOUND'
        - 'Htran*FOUND'
    condition: keywords
falsepositives:
    - Unknown
level: high

high

Renamed SysInternals DebugView Execution

Detects suspicious renamed SysInternals DebugView execution

status test author Florian Roth (Nextron Systems) id cd764533-2e07-40d6-a718-cfeec7f2da7f

view Sigma YAML

title: Renamed SysInternals DebugView Execution
id: cd764533-2e07-40d6-a718-cfeec7f2da7f
status: test
description: Detects suspicious renamed SysInternals DebugView execution
references:
    - https://www.epicturla.com/blog/sysinturla
author: Florian Roth (Nextron Systems)
date: 2020-05-28
modified: 2023-02-14
tags:
    - attack.resource-development
    - attack.t1588.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Product: 'Sysinternals DebugView'
    filter:
        OriginalFileName: 'Dbgview.exe'
        Image|endswith: '\Dbgview.exe'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high

high

Suspicious Execution Of Renamed Sysinternals Tools - Registry

Detects the creation of the "accepteula" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)

status test author Nasreddine Bencherchali (Nextron Systems) id f50f3c09-557d-492d-81db-9064a8d4e211

view Sigma YAML

title: Suspicious Execution Of Renamed Sysinternals Tools - Registry
id: f50f3c09-557d-492d-81db-9064a8d4e211
related:
    - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
      type: derived
    - id: 8023f872-3f1d-4301-a384-801889917ab4
      type: similar
status: test
description: Detects the creation of the "accepteula" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-24
modified: 2025-10-26
tags:
    - attack.resource-development
    - attack.t1588.002
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains:
            # Please add new values while respecting the alphabetical order
            - '\Active Directory Explorer'
            - '\Handle'
            - '\LiveKd'
            - '\ProcDump'
            - '\Process Explorer'
            - '\PsExec'
            - '\PsLoggedon'
            - '\PsLoglist'
            - '\PsPasswd'
            - '\PsPing'
            - '\PsService'
            - '\SDelete'
        TargetObject|endswith: '\EulaAccepted'
    filter:
        Image|endswith:
            # Please add new values while respecting the alphabetical order
            - '\ADExplorer.exe'
            - '\ADExplorer64.exe'
            - '\handle.exe'
            - '\handle64.exe'
            - '\livekd.exe'
            - '\livekd64.exe'
            - '\procdump.exe'
            - '\procdump64.exe'
            - '\procexp.exe'
            - '\procexp64.exe'
            - '\PsExec.exe'
            - '\PsExec64.exe'
            - '\PsLoggedon.exe'
            - '\PsLoggedon64.exe'
            - '\psloglist.exe'
            - '\psloglist64.exe'
            - '\pspasswd.exe'
            - '\pspasswd64.exe'
            - '\PsPing.exe'
            - '\PsPing64.exe'
            - '\PsService.exe'
            - '\PsService64.exe'
            - '\sdelete.exe'
    condition: selection and not filter
falsepositives:
    - Unlikely
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_pua_sysinternals_renamed_execution_via_eula/info.yml

high

Usage of Renamed Sysinternals Tools - RegistrySet

Detects non-sysinternals tools setting the "accepteula" key which normally is set on sysinternals tool execution

status test author Nasreddine Bencherchali (Nextron Systems) id 8023f872-3f1d-4301-a384-801889917ab4

view Sigma YAML

title: Usage of Renamed Sysinternals Tools - RegistrySet
id: 8023f872-3f1d-4301-a384-801889917ab4
related:
    - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
      type: derived
    - id: f50f3c09-557d-492d-81db-9064a8d4e211
      type: similar
status: test
description: Detects non-sysinternals tools setting the "accepteula" key which normally is set on sysinternals tool execution
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-24
modified: 2023-08-17
tags:
    - attack.resource-development
    - attack.t1588.002
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains:
            - '\PsExec'
            - '\ProcDump'
            - '\Handle'
            - '\LiveKd'
            - '\Process Explorer'
            - '\PsLoglist'
            - '\PsPasswd'
            - '\Active Directory Explorer'
        TargetObject|endswith: '\EulaAccepted'
    filter_main_image_names:
        Image|endswith:
            - '\PsExec.exe'
            - '\PsExec64.exe'
            - '\procdump.exe'
            - '\procdump64.exe'
            - '\handle.exe'
            - '\handle64.exe'
            - '\livekd.exe'
            - '\livekd64.exe'
            - '\procexp.exe'
            - '\procexp64.exe'
            - '\psloglist.exe'
            - '\psloglist64.exe'
            - '\pspasswd.exe'
            - '\pspasswd64.exe'
            - '\ADExplorer.exe'
            - '\ADExplorer64.exe'
    filter_optional_null:
        Image: null # Race condition with some logging tools
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unlikely
level: high

medium

PUA - Sysinternals Tools Execution - Registry

Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the "accepteula" registry key.

status test author Nasreddine Bencherchali (Nextron Systems) id c7da8edc-49ae-45a2-9e61-9fd860e4e73d

view Sigma YAML

title: PUA - Sysinternals Tools Execution - Registry
id: c7da8edc-49ae-45a2-9e61-9fd860e4e73d
related:
    - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
      type: derived
    - id: 9841b233-8df8-4ad7-9133-b0b4402a9014
      type: obsolete
status: test
description: Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the "accepteula" registry key.
references:
    - https://twitter.com/Moti_B/status/1008587936735035392
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-24
modified: 2025-10-26
tags:
    - attack.resource-development
    - attack.t1588.002
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains:
            - '\Active Directory Explorer'
            - '\Handle'
            - '\LiveKd'
            - '\Process Explorer'
            - '\ProcDump'
            - '\PsExec'
            - '\PsLoglist'
            - '\PsPasswd'
            - '\SDelete'
            - '\Sysinternals' # Global level https://twitter.com/leonzandman/status/1561736801953382400
        TargetObject|endswith: '\EulaAccepted'
    condition: selection
falsepositives:
    - Legitimate use of SysInternals tools. Filter the legitimate paths used in your environment
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_pua_sysinternals_susp_execution_via_eula/info.yml

medium

Suspicious Keyboard Layout Load

Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only

status test author Florian Roth (Nextron Systems) id 34aa0252-6039-40ff-951f-939fd6ce47d8

view Sigma YAML

title: Suspicious Keyboard Layout Load
id: 34aa0252-6039-40ff-951f-939fd6ce47d8
status: test
description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only
references:
    - https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index
    - https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files
author: Florian Roth (Nextron Systems)
date: 2019-10-12
modified: 2023-08-17
tags:
    - attack.resource-development
    - attack.t1588.002
logsource:
    category: registry_set
    product: windows
    definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files'
detection:
    selection_registry:
        TargetObject|contains:
            - '\Keyboard Layout\Preload\'
            - '\Keyboard Layout\Substitutes\'
        Details|contains:
            - 00000429  # Persian (Iran)
            - 00050429  # Persian (Iran)
            - 0000042a  # Vietnamese
    condition: selection_registry
falsepositives:
    - Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)
level: medium

low

PUA - Sysinternal Tool Execution - Registry

Detects the execution of a Sysinternals Tool via the creation of the "accepteula" registry key

status test author Markus Neis id 25ffa65d-76d8-4da5-a832-3f2b0136e133

view Sigma YAML

title: PUA - Sysinternal Tool Execution - Registry
id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
status: test
description: Detects the execution of a Sysinternals Tool via the creation of the "accepteula" registry key
references:
    - https://twitter.com/Moti_B/status/1008587936735035392
author: Markus Neis
date: 2017-08-28
modified: 2025-10-26
tags:
    - attack.resource-development
    - attack.t1588.002
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|endswith: '\EulaAccepted'
    condition: selection
falsepositives:
    - Legitimate use of SysInternals tools
    - Programs that use the same Registry Key
level: low
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_pua_sysinternals_execution_via_eula/info.yml

low

Potential Execution of Sysinternals Tools

Detects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools

status test author Markus Neis id 7cccd811-7ae9-4ebe-9afd-cb5c406b824b

view Sigma YAML

title: Potential Execution of Sysinternals Tools
id: 7cccd811-7ae9-4ebe-9afd-cb5c406b824b
related:
    - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
      type: derived
status: test
description: Detects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools
references:
    - https://twitter.com/Moti_B/status/1008587936735035392
author: Markus Neis
date: 2017-08-28
modified: 2024-03-13
tags:
    - attack.resource-development
    - attack.t1588.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|windash: ' -accepteula'
    condition: selection
falsepositives:
    - Legitimate use of SysInternals tools
    - Programs that use the same command line flag
level: low

Showing 1-12 of 12

Prev 1 Next

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin