Sigma rules for Emotet
2 rules · scoped to tool · back to Emotet
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Suspicious Encoded PowerShell Command Line
id: ca2092a1-c273-4878-9b4b-0d60115bf5ea
status: test
description: Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)
references:
- https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e
author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community
date: 2018-09-03
modified: 2023-04-06
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli_enc:
CommandLine|contains: ' -e' # covers -en and -enc
selection_cli_content:
CommandLine|contains:
- ' JAB'
- ' SUVYI'
- ' SQBFAFgA'
- ' aQBlAHgA'
- ' aWV4I'
- ' IAA'
- ' IAB'
- ' UwB'
- ' cwB'
selection_standalone:
CommandLine|contains:
- '.exe -ENCOD '
- ' BA^J e-' # Reversed
filter_optional_remote_signed:
CommandLine|contains: ' -ExecutionPolicy remotesigned '
condition: selection_img and (all of selection_cli_* or selection_standalone) and not 1 of filter_optional_*
level: high
title: Cmd Launched with Hidden Start Flags to Suspicious Targets
id: 5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d
status: experimental
description: |
Detects cmd.exe executing commands with the "start" utility using "/b" (no window) or "/min" (minimized) flags.
To reduce false positives from standard background tasks, detection is restricted to scenarios where the target is a known script extension or located in suspicious temporary/public directories.
This technique was observed in Chaos, DarkSide, and Emotet malware campaigns.
references:
- https://www.fortinet.com/blog/threat-research/evolution-of-chaos-ransomware-faster-smarter-and-more-dangerous
- https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
- https://www.fortinet.com/blog/threat-research/ms-office-files-involved-in-emotet-trojan-campaign-pt-one
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/start
tags:
- attack.stealth
- attack.t1564.003
author: Vladan Sekulic, Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-01-24
logsource:
category: process_creation
product: windows
detection:
selection_cmd_img:
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'Cmd.Exe'
selection_cmd_hidden_start_1:
CommandLine|contains|windash:
- 'start '
- 'start/b'
- 'start/min'
selection_cmd_hidden_start_2:
CommandLine|contains|windash:
- '/b '
- '/b"'
- '/min '
- '/min"'
selection_cli_uncommon_location:
CommandLine|contains:
- ':\Perflogs\'
- ':\Temp\'
- ':\Users\Default\'
- ':\Windows\Temp\'
- '\AppData\Roaming\'
- '\Contacts\'
- '\Documents\'
- '\Downloads\'
- '\Favorites\'
- '\Favourites\'
- '\inetpub\'
- '\Music\'
- '\Photos\'
- '\Temporary Internet\'
- '\Users\Public\'
- '\Videos\'
selection_cli_susp_extension:
CommandLine|contains:
- '.bat'
- '.cmd'
- '.cpl'
- '.hta'
- '.js'
- '.ps1'
- '.scr'
- '.vbe'
- '.vbs'
selection_cli_susp_pattern:
CommandLine|contains:
- ' -nop '
- ' -sta '
- '.downloadfile(' # PowerShell download command
- '.downloadstring(' # PowerShell download command
- '-noni '
- '-w hidden '
condition: all of selection_cmd_* and 1 of selection_cli_*
falsepositives:
- Legitimate administrative scripts running from temporary folders.
- Niche software updaters utilizing hidden batch files in ProgramData.
level: medium # Can be increased after an initial baseline and tuning
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_cmd_launched_with_hidden_start_flag/info.yml