Sigma Rules
1,398 rules found
Suspicious RunAs-Like Flag Combination
Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools
Windows Processes Suspicious Parent Directory
Detect suspicious parent processes of well-known Windows processes
Suspicious Program Names
Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools
Recon Information for Export with Command Prompt
Once established within a system or network, an adversary may use automated techniques for collecting internal data.
Suspicious Process Execution From Fake Recycle.Bin Folder
Detects process execution from a fake recycle bin folder, often used to avoid security solution.
Suspicious Redirection to Local Admin Share
Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers
Registry Modification of MS-settings Protocol Handler
Detects registry modifications to the 'ms-settings' protocol handler, which is frequently targeted for UAC bypass or persistence. Attackers can modify this registry to execute malicious code with elevated privileges by hijacking the command execution path.
Potential Remote Desktop Tunneling
Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.
Potential Defense Evasion Via Right-to-Left Override
Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. This character is used as an obfuscation and masquerading techniques by adversaries to trick users into opening malicious files.
Script Interpreter Execution From Suspicious Folder
Detects a suspicious script execution in temporary folders or folders accessible by environment variables
Suspicious Script Execution From Temp Folder
Detects a suspicious script executions from temporary folder
Script Interpreter Spawning Credential Scanner - Windows
Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks). This behavior is indicative of an attempt to find and steal secrets, as seen in the "Shai-Hulud: The Second Coming" campaign.
Sensitive File Access Via Volume Shadow Copy Backup
Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit)
Suspicious New Service Creation
Detects creation of a new service via "sc" command or the powershell "new-service" cmdlet with suspicious binary paths
Suspicious Service Binary Directory
Detects a service binary running in a suspicious directory
Suspicious Windows Service Tampering
Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts
Shadow Copies Creation Using Operating Systems Utilities
Shadow Copies creation using operating systems utilities, possible credential access
Shadow Copies Deletion Using Operating Systems Utilities
Shadow Copies deletion using operating systems utilities
Windows Shell/Scripting Processes Spawning Suspicious Programs
Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.
Process Creation Using Sysnative Folder
Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)
System File Execution Location Anomaly
Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.
Suspicious SYSTEM User Process Creation
Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
Suspicious SYSVOL Domain Group Policy Access
Detects Access to Domain Group Policies stored in SYSVOL
Tasks Folder Evasion
The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr
Malicious Windows Script Components File Execution by TAEF Detection
Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe
Malicious PE Execution by Microsoft Visual Studio Debugger
There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger. This option may be used adversaries to execute malicious code by signed verified binary. The debugger is installed alongside with Microsoft Visual Studio package.
Suspicious Userinit Child Process
Detects a suspicious child process of userinit
Suspicious Velociraptor Child Process
Detects the suspicious use of the Velociraptor DFIR tool to execute other tools or download additional payloads, as seen in a campaign where it was abused for remote access and to stage further attacks.
Weak or Abused Passwords In CLI
Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline
Usage Of Web Request Commands And Cmdlets
Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine
WhoAmI as Parameter
Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)
Execution via WorkFolders.exe
Detects using WorkFolders.exe to execute an arbitrary control.exe
Suspect Svchost Activity
It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.
Suspicious Process Masquerading As SvcHost.EXE
Detects a suspicious process that is masquerading as the legitimate "svchost.exe" by naming its binary "svchost.exe" and executing from an uncommon location. Adversaries often disguise their malicious binaries by naming them after legitimate system processes like "svchost.exe" to evade detection.
Terminal Service Process Spawn
Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)
Uncommon Svchost Command Line Parameter
Detects instances of svchost.exe running with an unusual or uncommon command line parameter by excluding known legitimate or common patterns. This could point at a file masquerading as svchost, a process injection, or hollowing of a legitimate svchost instance.
Uncommon Svchost Parent Process
Detects an uncommon svchost parent process
Permission Check Via Accesschk.EXE
Detects the usage of the "Accesschk" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges
Active Directory Database Snapshot Via ADExplorer
Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
Suspicious Active Directory Database Snapshot Via ADExplorer
Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
Potential Execution of Sysinternals Tools
Detects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools
Potential Memory Dumping Activity Via LiveKD
Detects execution of LiveKD based on PE metadata or image name
Kernel Memory Dump Via LiveKD
Detects execution of LiveKD with the "-m" flag to potentially dump the kernel memory
Procdump Execution
Detects usage of the SysInternals Procdump utility
Potential SysInternals ProcDump Evasion
Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name
Potential LSASS Process Dump Via Procdump
Detects potential credential harvesting attempts through LSASS memory dumps using ProcDump. This rule identifies suspicious command-line patterns that combine memory dump flags (-ma, -mm, -mp) with LSASS-related process markers. LSASS (Local Security Authority Subsystem Service) contains sensitive authentication data including plaintext passwords, NTLM hashes, and Kerberos tickets in memory. Attackers commonly dump LSASS memory to extract credentials for lateral movement and privilege escalation.
Psexec Execution
Detects user accept agreement execution in psexec commandline
PsExec/PAExec Escalation to LOCAL SYSTEM
Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights