Sigma Rules
29 rules found
CMSTP Execution Process Access
Detects various indicators of Microsoft Connection Manager Profile Installer execution
HackTool - CobaltStrike BOF Injection Pattern
Detects a typical pattern of a CobaltStrike BOF which inject into other processes
HackTool - Generic Process Access
Detects process access requests from hacktool processes based on their default image name
HackTool - HandleKatz Duplicating LSASS Handle
Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles
HackTool - LittleCorporal Generated Maldoc Injection
Detects the process injection of a LittleCorporal generated Maldoc.
HackTool - SysmonEnte Execution
Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon
Lsass Memory Dump via Comsvcs DLL
Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.
LSASS Memory Access by Tool With Dump Keyword In Name
Detects LSASS process access requests from a source process with the "dump" keyword in its image name.
Potential Credential Dumping Activity Via LSASS
Detects process access requests to the LSASS process with specific call trace calls and access masks. This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature.
Credential Dumping Activity By Python Based Tool
Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.
Remote LSASS Process Access Through Windows Remote Management
Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.
Suspicious LSASS Access Via MalSecLogon
Detects suspicious access to LSASS handle via a call trace to "seclogon.dll" with a suspicious access right.
Potentially Suspicious GrantedAccess Flags On LSASS
Detects process access requests to LSASS process with potentially suspicious access flags
Credential Dumping Attempt Via WerFault
Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.
LSASS Access From Potentially White-Listed Processes
Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference
Uncommon Process Access Rights For Target Image
Detects process access request to uncommon target images with a "PROCESS_ALL_ACCESS" access mask.
Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs
Detects suspicious process access to LSASS.exe from processes located in uncommon locations with dbgcore.dll or dbghelp.dll in the call trace. These DLLs contain functions like MiniDumpWriteDump that can be abused for credential dumping purposes. While modern tools like Mimikatz have moved to using ntdll.dll, dbgcore.dll and dbghelp.dll are still used by basic credential dumping utilities and legacy tools for LSASS memory access and process suspension techniques.
Potential Direct Syscall of NtOpenProcess
Detects potential calls to NtOpenProcess directly from NTDLL.
Credential Dumping Attempt Via Svchost
Detects when a process tries to access the memory of svchost to potentially dump credentials.
Suspicious Svchost Process Access
Detects suspicious access to the "svchost" process such as that used by Invoke-Phantom to kill the thread of the Windows event logging service.
Function Call From Undocumented COM Interface EditionUpgradeManager
Detects function calls from the EditionUpgradeManager COM interface. Which is an interface that is not used by standard executables.
UAC Bypass Using WOW64 Logger DLL Hijack
Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)
Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze
Detects process access events where WerFaultSecure accesses MsMpEng.exe with dbgcore.dll or dbghelp.dll in the call trace, indicating potential EDR freeze techniques. This technique leverages WerFaultSecure.exe running as a Protected Process Light (PPL) with WinTCB protection level to call MiniDumpWriteDump and suspend EDR/AV processes, allowing malicious activity to execute undetected during the suspension period.
Malware Shellcode in Verclsid Target Process
Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro
Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Process Access
Detects potential exploitation of remote code execution vulnerability CVE-2025-33053 by looking for process access that involves legitimate Windows executables (iediagcmd.exe, CustomShellHost.exe) accessing suspicious executables hosted on WebDAV shares. This indicates an attacker may be exploiting Process.Start() search order manipulation to execute malicious code from attacker-controlled WebDAV servers instead of legitimate system binaries. The vulnerability allows unauthorized code execution through external control of file names or paths via WebDAV.
Potential Credential Dumping Attempt Via PowerShell
Detects a PowerShell process requesting access to "lsass.exe", which can be indicative of potential credential dumping attempts
LSASS Access From Program In Potentially Suspicious Folder
Detects process access to LSASS memory with suspicious access flags and from a potentially suspicious folder
Uncommon GrantedAccess Flags On LSASS
Detects process access to LSASS memory with uncommon access flags 0x410 and 0x01410
Potential Shellcode Injection
Detects potential shellcode injection as seen used by tools such as Metasploit's migrate and Empire's psinject.