Sigma Rules
1,607 rules found
HackTool - SILENTTRINITY Stager Execution
Detects SILENTTRINITY stager use via PE metadata
HackTool - Sliver C2 Implant Activity Pattern
Detects process activity patterns as seen being used by Sliver C2 framework implants
HackTool - SOAPHound Execution
Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information.
HackTool - Stracciatella Execution
Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.
HackTool - SysmonEOP Execution
Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120
HackTool - TruffleSnout Execution
Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.
HackTool - UACMe Akagi Execution
Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata
HackTool - Windows Credential Editor (WCE) Execution
Detects the use of Windows Credential Editor (WCE), a popular post-exploitation tool used to extract plaintext passwords, hash, PIN code and Kerberos tickets from memory. It is often used by threat actors for credential dumping and lateral movement within compromised networks.
HackTool - winPEAS Execution
WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz
HackTool - WinPwn Execution
Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
HackTool - Wmiexec Default Powershell Command
Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script
HackTool - WSASS Execution
Detects execution of WSASS, a tool used to dump LSASS memory on Windows systems by leveraging WER's (Windows Error Reporting) WerFaultSecure.EXE to bypass PPL (Protected Process Light) protections.
HackTool - XORDump Execution
Detects suspicious use of XORDump process memory dumping utility
Suspicious ZipExec Execution
ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.
Suspicious Execution of Hostname
Use of hostname to get information
Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine
Detects the tampering of Hypervisor-protected Code Integrity (HVCI) related registry values via command line tool reg.exe. HVCI uses virtualization-based security to protect code integrity by ensuring that only trusted code can run in kernel mode. Adversaries may tamper with HVCI to load malicious or unsigned drivers, which can be used to escalate privileges, maintain persistence, or evade security mechanisms.
Suspicious HWP Sub Processes
Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation
Potential Fake Instance Of Hxtsr.EXE Executed
HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications. HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Files". Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe
Use Icacls to Hide File to Everyone
Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files
File Download And Execution Via IEExec.EXE
Detects execution of the IEExec utility to download and execute files
Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location
Detects the use of iexpress.exe to create binaries via Self Extraction Directive (SED) files located in potentially suspicious locations. This behavior has been observed in-the-wild by different threat actors.
Disable Windows IIS HTTP Logging
Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)
Microsoft IIS Service Account Password Dumped
Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords
IIS Native-Code Module Command Line Installation
Detects suspicious IIS native-code module installations via command line
Suspicious IIS URL GlobalRules Rewrite Via AppCmd
Detects usage of "appcmd" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells.
Microsoft IIS Connection Strings Decryption
Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.
IIS WebServer Log Deletion via CommandLine Utilities
Detects attempts to delete Internet Information Services (IIS) log files via command line utilities, which is a common defense evasion technique used by attackers to cover their tracks. Threat actors often abuse vulnerabilities in web applications hosted on IIS servers to gain initial access and later delete IIS logs to evade detection.
Suspicious IIS Module Registration
Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors
C# IL Code Compilation Via Ilasm.EXE
Detects the use of "Ilasm.EXE" in order to compile C# intermediate (IL) code to EXE or DLL.
ImagingDevices Unusual Parent/Child Processes
Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity
Arbitrary File Download Via IMEWDBLD.EXE
Detects usage of "IMEWDBLD.exe" to download arbitrary files
InfDefaultInstall.exe .inf Execution
Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.
File Download Via InstallUtil.EXE
Detects use of .NET InstallUtil.exe in order to download arbitrary files. The files will be written to "%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\"
Suspicious Execution of InstallUtil Without Log
Uses the .NET InstallUtil.exe application in order to execute image without log
Suspicious Shells Spawn by Java Utility Keytool
Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)
Suspicious Child Process Of Manage Engine ServiceDesk
Detects suspicious child processes of the "Manage Engine ServiceDesk Plus" Java web service
Java Running with Remote Debugging
Detects a JAVA process running with remote debugging allowing more than just localhost to connect
Suspicious Processes Spawned by Java.EXE
Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)
Shell Process Spawned by Java.EXE
Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)
Suspicious SysAidServer Child
Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions)
JScript Compiler Execution
Detects the execution of the "jsc.exe" (JScript Compiler). Attacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting.
Kavremover Dropped Binary LOLBIN Usage
Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.
Windows Kernel Debugger Execution
Detects execution of the Windows Kernel Debugger "kd.exe".
Attempts of Kerberos Coercion Via DNS SPN Spoofing
Detects the presence of "UWhRC....AAYBAAAA" pattern in command line. The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure. Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts. It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like in CVE-2025-33073. If you see this pattern in the command line, it is likely an attempt to add spoofed Service Principal Names (SPNs) to DNS records, or checking for the presence of such records through the `nslookup` command.
Potentially Suspicious Child Process of KeyScrambler.exe
Detects potentially suspicious child processes of KeyScrambler.exe
Computer Password Change Via Ksetup.EXE
Detects password change for the computer's domain account or host principal via "ksetup.exe"
Logged-On User Password Change Via Ksetup.EXE
Detects password change for the logged-on user's via "ksetup.exe"
Active Directory Structure Export Via Ldifde.EXE
Detects the execution of "ldifde.exe" in order to export organizational Active Directory structure.