Sigma Rules
122 rules found
Clfs.SYS Loaded By Process Located In a Potential Suspicious Location
Detects Clfs.sys being loaded by a process running from a potentially suspicious location. Clfs.sys is loaded as part of many CVEs exploits that targets Common Log File.
DLL Loaded From Suspicious Location Via Cmspt.EXE
Detects cmstp loading "dll" or "ocx" files from suspicious locations
Amsi.DLL Loaded Via LOLBIN Process
Detects loading of "Amsi.dll" by a living of the land process. This could be an indication of a "PowerShell without PowerShell" attack
Potential Azure Browser SSO Abuse
Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user.
Suspicious Renamed Comsvcs DLL Loaded By Rundll32
Detects rundll32 loading a renamed comsvcs.dll to dump process memory
CredUI.DLL Loaded By Uncommon Process
Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW".
Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded
Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.
PCRE.NET Package Image Load
Detects processes loading modules related to PCRE.NET package
Load Of RstrtMgr.DLL By A Suspicious Process
Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.
Load Of RstrtMgr.DLL By An Uncommon Process
Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process. This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows. It could also be used for anti-analysis purposes by shut downing specific processes.
Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE
Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library
PowerShell Core DLL Loaded By Non PowerShell Process
Detects loading of essential DLLs used by PowerShell by non-PowerShell process. Detects behavior similar to meterpreter's "load powershell" extension.
Time Travel Debugging Utility Usage - Image
Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
Unsigned .node File Loaded
Detects the loading of unsigned .node files. Adversaries may abuse a lack of .node integrity checking to execute arbitrary code inside of trusted applications such as Slack. .node files are native add-ons for Electron-based applications, which are commonly used for desktop applications like Slack, Discord, and Visual Studio Code. This technique has been observed in the DripLoader malware, which uses unsigned .node files to load malicious native code into Electron applications.
Suspicious Volume Shadow Copy Vssapi.dll Load
Detects the image load of VSS DLL by uncommon executables
Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load
Detects the image load of VSS DLL by uncommon executables
Suspicious Volume Shadow Copy VSS_PS.dll Load
Detects the image load of vss_ps.dll by uncommon executables. This DLL is used by the Volume Shadow Copy Service (VSS) to manage shadow copies of files and volumes. It is often abused by attackers to delete or manipulate shadow copies, which can hinder forensic investigations and data recovery efforts. The fact that it is loaded by processes that are not typically associated with VSS operations can indicate suspicious activity.
HackTool - SharpEvtMute DLL Load
Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool that tampers with the Windows event logs
HackTool - SILENTTRINITY Stager DLL Load
Detects SILENTTRINITY stager dll loading activity
Potential DCOM InternetExplorer.Application DLL Hijack - Image Load
Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class
Unsigned Image Loaded Into LSASS Process
Loading unsigned image (DLL, EXE) into LSASS process
DotNET Assembly DLL Loaded Via Office Application
Detects any assembly DLL being loaded by an Office Product
CLR DLL Loaded Via Office Applications
Detects CLR DLL being loaded by an Office Product
GAC DLL Loaded Via Office Applications
Detects any GAC DLL being loaded by an Office Product
Microsoft Excel Add-In Loaded From Uncommon Location
Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location
Microsoft VBA For Outlook Addin Loaded Via Outlook
Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process
PowerShell Core DLL Loaded Via Office Application
Detects PowerShell core DLL being loaded by an Office Product
VBA DLL Loaded Via Office Application
Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.
Remote DLL Load Via Rundll32.EXE
Detects a remote DLL load event via "rundll32.exe".
WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load
Detects signs of the WMI script host process "scrcons.exe" loading scripting DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity.
Potential 7za.DLL Sideloading
Detects potential DLL sideloading of "7za.dll"
Abusable DLL Potential Sideloading From Suspicious Location
Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations
Potential Antivirus Software DLL Sideloading
Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc
Potential appverifUI.DLL Sideloading
Detects potential DLL sideloading of "appverifUI.dll"
Aruba Network Service Potential DLL Sideloading
Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking
Potential AVKkid.DLL Sideloading
Detects potential DLL sideloading of "AVKkid.dll"
Potential CCleanerDU.DLL Sideloading
Detects potential DLL sideloading of "CCleanerDU.dll"
Potential CCleanerReactivator.DLL Sideloading
Detects potential DLL sideloading of "CCleanerReactivator.dll"
Potential Chrome Frame Helper DLL Sideloading
Detects potential DLL sideloading of "chrome_frame_helper.dll"
Potential DLL Sideloading Via ClassicExplorer32.dll
Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software
Potential DLL Sideloading Via comctl32.dll
Detects potential DLL sideloading using comctl32.dll to obtain system privileges
Potential DLL Sideloading Using Coregen.exe
Detect usage of the "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.
System Control Panel Item Loaded From Uncommon Location
Detects image load events of system control panel items (.cpl) from uncommon or non-system locations that may indicate DLL sideloading or other abuse techniques.
Potential DLL Sideloading Of DBGCORE.DLL
Detects DLL sideloading of "dbgcore.dll"
Potential DLL Sideloading Of DBGHELP.DLL
Detects potential DLL sideloading of "dbghelp.dll"
Potential DLL Sideloading Of DbgModel.DLL
Detects potential DLL sideloading of "DbgModel.dll"
Potential EACore.DLL Sideloading
Detects potential DLL sideloading of "EACore.dll"
Potential Edputil.DLL Sideloading
Detects potential DLL sideloading of "edputil.dll"