Sigma Rules
1,398 rules found
Suspicious Response File Execution Via Odbcconf.EXE
Detects execution of "odbcconf" with the "-f" flag in order to load a response file with a non-".rsp" extension.
Uncommon Child Process Spawned By Odbcconf.EXE
Detects an uncommon child process of "odbcconf.exe" binary which normally shouldn't have any child processes.
Potential Arbitrary File Download Using Office Application
Detects potential arbitrary file download using a Microsoft Office application
Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp
Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object.
Potentially Suspicious Office Document Executed From Trusted Location
Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code.
OneNote.EXE Execution of Malicious Embedded Scripts
Detects the execution of malicious OneNote documents that contain embedded scripts. When a user clicks on a OneNote attachment and then on the malicious link inside the ".one" file, it exports and executes the malicious embedded script from specific directories.
Suspicious Microsoft OneNote Child Process
Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.
Outlook EnableUnsafeClientMailRules Setting Enabled
Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
Suspicious Execution From Outlook Temporary Folder
Detects a suspicious program execution in Outlook temp folder
Suspicious Outlook Child Process
Detects a suspicious process spawning from an Outlook process.
Suspicious Remote Child Process From Outlook
Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).
Suspicious Binary In User Directory Spawned From Office Application
Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)
Suspicious Microsoft Office Child Process
Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)
Potential Arbitrary DLL Load Using Winword
Detects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag.
Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution
Detects execution of Windows Defender "OfflineScannerShell.exe" from its non standard directory. The "OfflineScannerShell.exe" binary is vulnerable to DLL side loading and will load any DLL named "mpclient.dll" from the current working directory.
PDQ Deploy Remote Adminstartion Tool Execution
Detect use of PDQ Deploy remote admin tool
Potentially Suspicious Execution Of PDQDeployRunner
Detects suspicious execution of "PDQDeployRunner" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines
Perl Inline Command Execution
Detects execution of perl using the "-e"/"-E" flags. This is could be used as a way to launch a reverse shell or execute live perl code.
Php Inline Command Execution
Detects execution of php using the "-r" flag. This is could be used as a way to launch a reverse shell or execute live php code.
Ping Hex IP
Detects a ping command that uses a hex encoded IP address
PktMon.EXE Execution
Detects execution of PktMon, a tool that captures network packets.
Suspicious Plink Port Forwarding
Detects suspicious Plink tunnel port forwarding to a local port
Potential RDP Tunneling Via Plink
Execution of plink to perform data exfiltration and tunneling
Suspicious Powercfg Execution To Change Lock Screen Timeout
Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout
AADInternals PowerShell Cmdlets Execution - ProccessCreation
Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
Potential Active Directory Enumeration Using AD Module - ProcCreation
Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
Add Windows Capability Via PowerShell Cmdlet
Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.
Potential AMSI Bypass Via .NET Reflection
Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning
Potential AMSI Bypass Using NULL Bits
Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities
Audio Capture via PowerShell
Detects audio capture via PowerShell Cmdlet.
Suspicious Encoded PowerShell Command Line
Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)
Suspicious PowerShell Encoded Command Patterns
Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains
Suspicious Obfuscated PowerShell Code
Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines
PowerShell Base64 Encoded FromBase64String Cmdlet
Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line
Malicious Base64 Encoded PowerShell Keywords in Command Lines
Detects base64 encoded strings used in hidden malicious PowerShell command lines
PowerShell Base64 Encoded IEX Cmdlet
Detects usage of a base64 encoded "IEX" cmdlet in a process command line
PowerShell Base64 Encoded Invoke Keyword
Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls
Powershell Base64 Encoded MpPreference Cmdlet
Detects base64 encoded "MpPreference" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV
PowerShell Base64 Encoded Reflective Assembly Load
Detects base64 encoded .NET reflective loading of Assembly
Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call
Detects suspicious base64 encoded and obfuscated "LOAD" keyword used in .NET "reflection.assembly"
PowerShell Base64 Encoded WMI Classes
Detects calls to base64 encoded WMI class such as "Win32_ShadowCopy", "Win32_ScheduledJob", etc.
Potential Process Execution Proxy Via CL_Invocation.ps1
Detects calls to "SyncInvoke" that is part of the "CL_Invocation.ps1" script to proxy execution using "System.Diagnostics.Process"
Assembly Loading Via CL_LoadAssembly.ps1
Detects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that are part of the "CL_LoadAssembly.ps1" script. This can be abused to load different assemblies and bypass App locker controls.
Potential Script Proxy Execution Via CL_Mutexverifiers.ps1
Detects the use of the Microsoft signed script "CL_mutexverifiers" to proxy the execution of additional PowerShell script commands
ConvertTo-SecureString Cmdlet Usage Via CommandLine
Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity
Potential PowerShell Obfuscation Via Reversed Commands
Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers
Potential PowerShell Command Line Obfuscation
Detects the PowerShell command lines with special characters
Obfuscated PowerShell MSI Install via WindowsInstaller COM
Detects the execution of obfuscated PowerShell commands that attempt to install MSI packages via the Windows Installer COM object (`WindowsInstaller.Installer`). The technique involves manipulating strings to hide functionality, such as constructing class names using string insertion (e.g., 'indowsInstaller.Installer'.Insert(0,'W')) and correcting malformed URLs (e.g., converting 'htps://' to 'https://') at runtime. This behavior is commonly associated with malware loaders or droppers that aim to bypass static detection by hiding intent in runtime-generated strings and using legitimate tools for code execution. The use of `InstallProduct` and COM object creation, particularly combined with hidden window execution and suppressed UI, indicates an attempt to install software (likely malicious) without user interaction.