Sigma Rules
1,607 rules found
Suspicious Spool Service Child Process
Detects suspicious print spool service (spoolsv.exe) child processes.
Veeam Backup Database Suspicious Query
Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information.
VeeamBackup Database Credentials Dump Via Sqlcmd.EXE
Detects dump of credentials in VeeamBackup dbo
SQLite Chromium Profile Data DB Access
Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing.
SQLite Firefox Profile Data DB Access
Detect usage of the "sqlite" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.
Arbitrary File Download Via Squirrel.EXE
Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
Process Proxy Execution Via Squirrel.EXE
Detects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
Port Forwarding Activity Via SSH.EXE
Detects port forwarding activity via SSH.exe
Program Executed Using Proxy/Local Command Via SSH.EXE
Detect usage of the "ssh.exe" binary as a proxy to launch other programs.
Potential RDP Tunneling Via SSH
Execution of ssh.exe to perform data exfiltration and tunneling through RDP
Potential Amazon SSM Agent Hijacking
Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
Execution via stordiag.exe
Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe
Start of NT Virtual DOS Machine
Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications
Abused Debug Privilege by Arbitrary Parent Processes
Detection of unusual child processes by different system processes
User Added to Local Administrators Group
Detects addition of users to the local administrator group via "Net" or "Add-LocalGroupMember".
User Added To Highly Privileged Group
Detects addition of users to highly privileged groups via "Net" or "Add-LocalGroupMember".
User Added to Remote Desktop Users Group
Detects addition of users to the local Remote Desktop Users group via "Net" or "Add-LocalGroupMember".
Execute From Alternate Data Streams
Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection
Always Install Elevated Windows Installer
Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege
Potentially Suspicious Windows App Activity
Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue ".appx" package installation/execution
Arbitrary Shell Command Execution Via Settingcontent-Ms
The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.
Phishing Pattern ISO in Archive
Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)
Automated Collection Command Prompt
Once established within a system or network, an adversary may use automated techniques for collecting internal data.
Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Detects attackers using tooling with bad opsec defaults. E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run. One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.
Potential Suspicious Browser Launch From Document Reader Process
Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this could indicate a possible phishing attempt.
Suspicious Child Process Created as System
Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts
Potential Commandline Obfuscation Using Escape Characters
Detects potential commandline obfuscation using known escape characters
Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image
Detects potential commandline obfuscation using unicode characters. Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
Suspicious ClickFix/FileFix Execution Pattern
Detects suspicious execution patterns where users are tricked into running malicious commands via clipboard manipulation, either through the Windows Run dialog (ClickFix) or File Explorer address bar (FileFix). Attackers leverage social engineering campaigns—such as fake CAPTCHA challenges or urgent alerts—encouraging victims to paste clipboard contents, often executing mshta.exe, powershell.exe, or similar commands to infect systems.
Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix
Detects process creation with suspicious whitespace padding followed by a '#' character, which may indicate ClickFix or FileFix techniques used to conceal malicious commands from visual inspection. ClickFix and FileFix are social engineering attack techniques where adversaries distribute phishing documents or malicious links that deceive users into opening the Windows Run dialog box or File Explorer search bar. The victims are then instructed to paste commands from their clipboard, which contain extensive whitespace padding using various Unicode space characters to push the actual malicious command far to the right, effectively hiding it from immediate view.
Suspicious Usage of For Loop with Recursive Directory Search in CMD
Detects suspicious usage of the cmd.exe 'for /f' loop combined with the 'tokens=' parameter and a recursive directory listing. This pattern may indicate an attempt to discover and execute system binaries dynamically, for example powershell, a technique sometimes used by attackers to evade detection. This behavior has been observed in various malicious lnk files.
Potential Command Line Path Traversal Evasion Attempt
Detects potential evasion or obfuscation attempts using bogus path traversal via the commandline
Potential Browser Data Stealing
Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store.
Copy From Or To Admin Share Or Sysvol Folder
Detects a copy command or a copy utility execution to or from an Admin share or remote
Suspicious Copy From or To System Directory
Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk. Often used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations.
LOL-Binary Copied From System Directory
Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations.
Potential Crypto Mining Activity
Detects command line parameters or strings often used by crypto miners
Potential Data Exfiltration Activity Via CommandLine Tools
Detects the use of various CLI utilities exfiltrating data via web requests
Raccine Uninstall
Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.
Suspicious Double Extension File Execution
Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns
Suspicious Parent Double Extension File Execution
Detect execution of suspicious double extension files in ParentCommandLine
Suspicious Download from Office Domain
Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents
DumpStack.log Defender Evasion
Detects the use of the filename DumpStack.log to evade Microsoft Defender
Always Install Elevated MSI Spawned Cmd And Powershell
Detects Windows Installer service (msiexec.exe) spawning "cmd" or "powershell"
Suspicious Electron Application Child Processes
Detects suspicious child processes of electron apps (teams, discord, slack, etc.). This could be a potential sign of ".asar" file tampering (See reference section for more information) or binary execution proxy through specific CLI arguments (see related rule)
Potentially Suspicious Electron Application CommandLine
Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.
Elevated System Shell Spawned From Uncommon Parent Location
Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges from a uncommon parent location.
Hidden Powershell in Link File Pattern
Detects events that appear when a user click on a link file with a powershell command in it