Sigma Rules
216 rules found
UAC Bypass Using Consent and Comctl32 - File
Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
UAC Bypass Using .NET Code Profiler on MMC
Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)
UAC Bypass Using EventVwr
Detects the pattern of a UAC bypass using Windows Event Viewer
UAC Bypass Using IDiagnostic Profile - File
Detects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique
UAC Bypass Using IEInstal - File
Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
UAC Bypass Using MSConfig Token Modification - File
Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
UAC Bypass Using NTFS Reparse Point - File
Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
UAC Bypass Abusing Winsat Path Parsing - File
Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
UAC Bypass Using Windows Media Player - File
Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
VHD Image Download Via Browser
Detects creation of ".vhd"/".vhdx" files by browser processes. Malware can use mountable Virtual Hard Disk ".vhd" files to encapsulate payloads and evade security controls.
Visual Studio Code Tunnel Remote File Creation
Detects the creation of file by the "node.exe" process in the ".vscode-server" directory. Could be a sign of remote file creation via VsCode tunnel feature
Renamed VsCode Code Tunnel Execution - File Indicator
Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility by an "Image" or "Process" other than VsCode.
Potential Webshell Creation On Static Website
Detects the creation of files with certain extensions on a static web site. This can be indicative of potential uploads of a web shell.
Creation of WerFault.exe/Wer.dll in Unusual Folder
Detects the creation of a file named "WerFault.exe" or "wer.dll" in an uncommon folder, which could be a sign of WerFault DLL hijacking.
WinRAR Creating Files in Startup Locations
Detects WinRAR creating files in Windows startup locations, which may indicate an attempt to establish persistence by adding malicious files to the Startup folder. This kind of behaviour has been associated with exploitation of WinRAR path traversal vulnerability CVE-2025-6218 or CVE-2025-8088.
AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File
Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)
Wmiexec Default Output File
Detects the creation of the default output filename used by the wmiexec tool
Wmiprvse Wbemcomn DLL Hijack - File
Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
WMI Persistence - Script Event Consumer File Write
Detects file writes of WMI script event consumer
UEFI Persistence Via Wpbbin - FileCreation
Detects creation of a file named "wpbbin" in the "%systemroot%\system32\" directory. Which could be indicative of UEFI based persistence method
Writing Local Admin Share
Aversaries may use to interact with a remote network share using Server Message Block (SMB). This technique is used by post-exploitation frameworks.
APT29 2018 Phishing Campaign File Indicators
Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant
CVE-2021-1675 Print Spooler Exploitation Filename Pattern
Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675
CVE-2021-26858 Exchange Exploitation
Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for creation of non-standard files on disk by Exchange Server’s Unified Messaging service which could indicate dropping web shells or other malicious content
CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum
Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
Suspicious Word Cab File Write CVE-2021-40444
Detects file creation patterns noticeable during the exploitation of CVE-2021-40444
InstallerFileTakeOver LPE CVE-2021-41379 File Create Event
Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file
CVE-2021-44077 POC Default Dropped File
Detects the creation of "msiexec.exe" in the "bin" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)
Potential Devil Bait Related Indicator
Detects the creation of ".xml" and ".txt" files in folders of the "\AppData\Roaming\Microsoft" directory by uncommon processes. This behavior was seen common across different Devil Bait samples and stages as described by the NCSC
Goofy Guineapig Backdoor IOC
Detects malicious indicators seen used by the Goofy Guineapig malware
Moriya Rootkit File Created
Detects the creation of a file named "MoriyaStreamWatchmen.sys" in a specific location. This filename was reported to be related to the Moriya rootkit as described in the securelist's Operation TunnelSnake report.
Pingback Backdoor File Indicators
Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
Small Sieve Malware File Indicator Creation
Detects filename indicators that contain a specific typo seen used by the Small Sieve malware.
CVE-2022-24527 Microsoft Connected Cache LPE
Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache
Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader
Detects suspicious ".hta" file creation in the startup folder by Foxit Reader. This can be an indication of CVE-2023-27363 exploitation.
Potential MOVEit Transfer CVE-2023-34362 Exploitation - File Activity
Detects file indicators of potential exploitation of MOVEit CVE-2023-34362.
Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location
Detects the creation of a "Report.wer" file in an uncommon folder structure. This could be a sign of potential exploitation of CVE-2023-36874.
Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation
Detects the creation of a file named "wermgr.exe" being created in an uncommon directory. This could be a sign of potential exploitation of CVE-2023-36874.
Potential CVE-2023-36884 Exploitation Dropped File
Detects a specific file being created in the recent folder of Office. These files have been seen being dropped during potential exploitations of CVE-2023-36884
CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File
Detects the creation of a file with a double extension and a space by WinRAR. This could be a sign of exploitation of CVE-2023-38331
CVE-2023-40477 Potential Exploitation - .REV File Creation
Detects the creation of ".rev" files by WinRAR. Could be indicative of potential exploitation of CVE-2023-40477. Look for a suspicious execution shortly after creation or a WinRAR application crash.
Potential COLDSTEEL RAT File Indicators
Detects the creation of a file named "dllhost.exe" in the "C:\users\public\Documents\" directory. Seen being used by the COLDSTEEL RAT in some of its variants.
Potential COLDSTEEL Persistence Service DLL Creation
Detects the creation of a file in a specific location and with a specific name related to COLDSTEEL RAT
DarkGate - Autoit3.EXE File Creation By Uncommon Process
Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious processes used to create Autoit3.exe. This activity has been associated with DarkGate malware, which uses Autoit3.exe to execute shellcode that performs process injection and connects to the DarkGate command-and-control server. Curl, KeyScramblerLogon, and these other processes consitute non-standard and suspicious ways to retrieve the Autoit3 executable.
SNAKE Malware Kernel Driver File Indicator
Detects SNAKE malware kernel driver file indicator
SNAKE Malware Installer Name Indicators
Detects filename indicators associated with the SNAKE malware as reported by CISA in their report
SNAKE Malware WerFault Persistence File Creation
Detects the creation of a file named "WerFault.exe" in the WinSxS directory by a non-system process, which can be indicative of potential SNAKE malware activity
Diamond Sleet APT File Creation Indicators
Detects file creation activity that is related to Diamond Sleet APT activity