Sigma Rules
1,398 rules found
Potential PsExec Remote Execution
Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility
PsExec Service Execution
Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution
PsExec Service Child Process Execution as LOCAL SYSTEM
Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)
Suspicious Use of PsLogList
Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs
Sysinternals PsService Execution
Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering
Sysinternals PsSuspend Execution
Detects usage of Sysinternals PsSuspend which can be abused to suspend critical processes
Sysinternals PsSuspend Suspicious Execution
Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses
Potential File Overwrite Via Sysinternals SDelete
Detects the use of SDelete to erase a file not the free space
Potential Privilege Escalation To LOCAL SYSTEM
Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges
Sysmon Configuration Update
Detects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely
Uninstall Sysinternals Sysmon
Detects the removal of Sysmon, which could be a potential attempt at defense evasion
Potential Binary Impersonating Sysinternals Tools
Detects binaries that use the same name as legitimate sysinternals tools to evade detection. This rule looks for the execution of binaries that are named similarly to Sysinternals tools. Adversary may rename their malicious tools as legitimate Sysinternals tools to evade detection.
Sysprep on AppData Folder
Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)
Suspicious Execution of Systeminfo
Detects usage of the "systeminfo" command to retrieve information
Potential Signing Bypass Via Windows Developer Features
Detects when a user enable developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.
Suspicious Recursive Takeown
Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders
Tap Installer Execution
Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques
Compressed File Creation Via Tar.EXE
Detects execution of "tar.exe" in order to create a compressed file. Adversaries may abuse various utilities to compress or encrypt data before exfiltration.
Compressed File Extraction Via Tar.EXE
Detects execution of "tar.exe" in order to extract compressed file. Adversaries may abuse various utilities in order to decompress data to avoid detection.
Taskkill Symantec Endpoint Protection
Detects one of the possible scenarios for disabling Symantec Endpoint Protection. Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.
Loaded Module Enumeration Via Tasklist.EXE
Detects the enumeration of a specific DLL or EXE being used by a binary via "tasklist.exe". This is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question. In order to dump the process memory or perform other nefarious actions.
Taskmgr as LOCAL_SYSTEM
Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM
New Process Created Via Taskmgr.EXE
Detects the creation of a process via the Windows task manager. This might be an attempt to bypass UAC
Potentially Suspicious Command Targeting Teams Sensitive Files
Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams. The database might contain authentication tokens and other sensitive information about the logged in accounts.
New Virtual Smart Card Created Via TpmVscMgr.EXE
Detects execution of "Tpmvscmgr.exe" to create a new virtual smart card.
Suspicious TSCON Start as SYSTEM
Detects a tscon.exe start as LOCAL SYSTEM
Suspicious RDP Redirect Using TSCON
Detects a suspicious RDP session redirect using tscon.exe
Potential RDP Session Hijacking Activity
Detects potential RDP Session Hijacking activity on Windows systems
UAC Bypass Using ChangePK and SLUI
Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)
UAC Bypass Using Disk Cleanup
Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)
Bypass UAC via CMSTP
Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files
CMSTP UAC Bypass via COM Object Access
Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)
UAC Bypass Tools Using ComputerDefaults
Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)
UAC Bypass Using Consent and Comctl32 - Process
Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
UAC Bypass Using DismHost
Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)
UAC Bypass Using Event Viewer RecentViews
Detects the pattern of UAC Bypass using Event Viewer RecentViews
Bypass UAC via Fodhelper.exe
Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.
UAC Bypass via Windows Firewall Snap-In Hijack
Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in
UAC Bypass via ICMLuaUtil
Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface
UAC Bypass Using IDiagnostic Profile
Detects the "IDiagnosticProfileUAC" UAC bypass technique
UAC Bypass Using IEInstal - Process
Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
UAC Bypass Using MSConfig Token Modification - Process
Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
UAC Bypass Using NTFS Reparse Point - Process
Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
UAC Bypass Using PkgMgr and DISM
Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)
Potential UAC Bypass Via Sdclt.EXE
A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.
TrustedPath UAC Bypass Pattern
Detects indicators of a UAC bypass method by mocking directories
UAC Bypass Abusing Winsat Path Parsing - Process
Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
UAC Bypass Using Windows Media Player - Process
Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)