Sigma Rules
1,607 rules found
Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.
Deny Service Access Using Security Descriptor Tampering Via Sc.EXE
Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.
Service DACL Abuse To Hide Services Via Sc.EXE
Detects usage of the "sc.exe" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.
Service Security Descriptor Tampering Via Sc.EXE
Detection of sc.exe utility adding a new service with special permission which hides that service.
Suspicious Service Path Modification
Detects service path modification via the "sc" binary to a suspicious command or path
Potential Persistence Attempt Via Existing Service Tampering
Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.
Stop Windows Service Via Sc.EXE
Detects the stopping of a Windows service via the "sc.exe" utility
Suspicious Schtasks Execution AppData Folder
Detects the creation of a schtask that executes a file from C:\Users\<USER>\AppData\Local
Suspicious Modification Of Scheduled Tasks
Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location Attackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on Instead they modify the task after creation to include their malicious payload
Scheduled Task Creation Via Schtasks.EXE
Detects the creation of scheduled tasks by user accounts via the "schtasks" utility.
Suspicious Scheduled Task Creation Involving Temp Folder
Detects the creation of scheduled tasks that involves a temporary folder and runs only once
Scheduled Task Creation with Curl and PowerShell Execution Combo
Detects the creation of a scheduled task using schtasks.exe, potentially in combination with curl for downloading payloads and PowerShell for executing them. This facilitates executing malicious payloads or connecting with C&C server persistently without dropping the malware sample on the host.
Delete Important Scheduled Task
Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities
Delete All Scheduled Tasks
Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.
Disable Important Scheduled Task
Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities
Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE
Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware
Schtasks From Suspicious Folders
Detects scheduled task creations that have suspicious action command and folder combinations
Suspicious Scheduled Task Name As GUID
Detects creation of a scheduled task with a GUID like name
Uncommon One Time Only Scheduled Task At 00:00
Detects scheduled task creation events that include suspicious actions, and is run once at 00:00
Potential SSH Tunnel Persistence Install Using A Scheduled Task
Detects the creation of new scheduled tasks via commandline, using Schtasks.exe. This rule detects tasks creating that call OpenSSH, which may indicate the creation of reverse SSH tunnel to the attacker's server.
Potential Persistence Via Microsoft Compatibility Appraiser
Detects manual execution of the "Microsoft Compatibility Appraiser" task via schtasks. In order to trigger persistence stored in the "\AppCompatFlags\TelemetryController" registry key.
Potential Persistence Via Powershell Search Order Hijacking - Task
Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader
Scheduled Task Executing Payload from Registry
Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell.
Scheduled Task Executing Encoded Payload from Registry
Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell.
Suspicious Schtasks Schedule Types
Detects scheduled task creations or modification on a suspicious schedule type
Suspicious Schtasks Schedule Type With High Privileges
Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type
Suspicious Scheduled Task Creation via Masqueraded XML File
Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence
Suspicious Command Patterns In Scheduled Task Creation
Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands
Schtasks Creation Or Modification With SYSTEM Privileges
Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges
Scheduled Task Creation Masquerading as System Processes
Detects the creation of scheduled tasks that involve system processes, which may indicate malicious actors masquerading as or abusing these processes to execute payloads or maintain persistence.
Script Event Consumer Spawning Process
Detects a suspicious child process of Script Event Consumer (scrcons.exe).
Potential Shim Database Persistence via Sdbinst.EXE
Detects installation of a new shim using sdbinst.exe. Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims
Uncommon Extension Shim Database Installation Via Sdbinst.EXE
Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe. Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims
Sdclt Child Processes
A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques.
Sdiagnhost Calling Suspicious Child Process
Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)
Potential Suspicious Activity Using SeCEdit
Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
NodeJS Execution of JavaScript File
Detects execution of JavaScript or JSC files using NodeJs binary node.exe, that could be potentially suspicious. Node.js is a popular open-source JavaScript runtime that runs code outside browsers and is widely used for both frontend and backend development. Adversaries have been observed abusing Node.js to disguise malware as legitimate processes, evade security defenses, and maintain persistence within target systems. Because Node.js is commonly used, this rule may generate false positives in some environments. However, if such activity is unusual in your environment, it is highly suspicious and warrants immediate investigation.
Suspicious Serv-U Process Pattern
Detects a suspicious process pattern which could be a sign of an exploited Serv-U service
Uncommon Child Process Of Setres.EXE
Detects uncommon child process of Setres.EXE. Setres.EXE is a Windows server only process and tool that can be used to set the screen resolution. It can potentially be abused in order to launch any arbitrary file with a name containing the word "choice" from the current execution path.
Potential SPN Enumeration Via Setspn.EXE
Detects service principal name (SPN) enumeration used for Kerberoasting
Setup16.EXE Execution With Custom .Lst File
Detects the execution of "Setup16.EXE" and old installation utility with a custom ".lst" file. These ".lst" file can contain references to external program that "Setup16.EXE" will execute. Attackers and adversaries might leverage this as a living of the land utility.
Suspicious Execution of Shutdown
Use of the commandline to shutdown or reboot windows
Suspicious Execution of Shutdown to Log Out
Detects the rare use of the command line tool shutdown to logoff a user
Uncommon Sigverif.EXE Child Process
Detects uncommon child processes spawning from "sigverif.exe", which could indicate potential abuse of the latter as a living of the land binary in order to proxy execution.
Uncommon Child Processes Of SndVol.exe
Detects potentially uncommon child processes of SndVol.exe (the Windows volume mixer)
Audio Capture via SoundRecorder
Detect attacker collecting audio via SoundRecorder application.
Suspicious Speech Runtime Binary Child Process
Detects suspicious Speech Runtime Binary Execution by monitoring its child processes. Child processes spawned by SpeechRuntime.exe could indicate an attempt for lateral movement via COM & DCOM hijacking.
Suspicious Splwow64 Without Params
Detects suspicious Splwow64.exe process without any command line parameters