Sigma Rules
1,607 rules found
Suspicious WindowsTerminal Child Processes
Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section)
Add New Download Source To Winget
Detects usage of winget to add new additional download sources
Add Insecure Download Source To Winget
Detects usage of winget to add a new insecure (http) download source. Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)
Add Potential Suspicious New Download Source To Winget
Detects usage of winget to add new potentially suspicious download sources
Install New Package Via Winget Local Manifest
Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe, msi or msix files later.
Winrar Compressing Dump Files
Detects execution of WinRAR in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.
Potentially Suspicious Child Process Of WinRAR.EXE
Detects potentially suspicious child processes of WinRAR.exe.
WinRAR Execution in Non-Standard Folder
Detects a suspicious WinRAR execution in a folder which is not the default installation folder
AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)
Remote Code Execute via Winrm.vbs
Detects an attempt to execute code or create service on remote host via winrm.vbs.
Remote PowerShell Session Host Process (WinRM)
Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).
Suspicious Processes Spawned by WinRM
Detects suspicious processes including shells spawnd from WinRM host process
Winrs Local Command Execution
Detects the execution of Winrs.exe where it is used to execute commands locally. Commands executed this way are launched under Winrshost.exe and can represent proxy execution used for defense evasion or lateral movement.
Potential Lateral Movement via Windows Remote Shell
Detects a child process spawned by 'winrshost.exe', which suggests remote command execution through Windows Remote Shell (WinRs) and may indicate potential lateral movement activity.
Compress Data and Lock With Password for Exfiltration With WINZIP
An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
Wlrmdr.EXE Uncommon Argument Or Child Process
Detects the execution of "Wlrmdr.exe" with the "-u" command line flag which allows anything passed to it to be an argument of the ShellExecute API, which would allow an attacker to execute arbitrary binaries. This detection also focuses on any uncommon child processes spawned from "Wlrmdr.exe" as a supplement for those that posses "ParentImage" telemetry.
WMI Backdoor Exchange Transport Agent
Detects a WMI backdoor in Exchange Transport Agents via WMI event filters
Password Set to Never Expire via WMI
Detects the use of wmic.exe to modify user account settings and explicitly disable password expiration.
WMI Persistence - Script Event Consumer
Detects WMI script event consumers
New ActiveScriptEventConsumer Created Via Wmic.EXE
Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence
Potential Windows Defender Tampering Via Wmic.EXE
Detects potential tampering with Windows Defender settings such as adding exclusion using wmic
New Process Created Via Wmic.EXE
Detects new process creation using WMIC via the "process call create" flag
Computer System Reconnaissance Via Wmic.EXE
Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model, etc.
Hardware Model Reconnaissance Via Wmic.EXE
Detects the execution of WMIC with the "csproduct" which is used to obtain information such as hardware models and vendor information
Local Groups Reconnaissance Via Wmic.EXE
Detects the execution of "wmic" with the "group" flag. Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
Windows Hotfix Updates Reconnaissance Via Wmic.EXE
Detects the execution of wmic with the "qfe" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts
Process Reconnaissance Via Wmic.EXE
Detects the execution of "wmic" with the "process" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches.
Potential Product Reconnaissance Via Wmic.EXE
Detects the execution of WMIC in order to get a list of firewall and antivirus products
Potential Product Class Reconnaissance Via Wmic.EXE
Detects the execution of WMIC in order to get a list of firewall, antivirus and antispywware products. Adversaries often enumerate security products installed on a system to identify security controls and potential ways to evade detection or disable protection mechanisms. This information helps them plan their next attack steps and choose appropriate techniques to bypass security measures.
Service Reconnaissance Via Wmic.EXE
An adversary might use WMI to check if a certain remote service is running on a remote device. When the test completes, a service information will be displayed on the screen if it exists. A common feedback message is that "No instance(s) Available" if the service queried is not running. A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreachable
Uncommon System Information Discovery Via Wmic.EXE
Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS, and GPU driver products/versions. Some of these commands were used by Aurora Stealer in late 2022/early 2023.
Potential Unquoted Service Path Reconnaissance Via Wmic.EXE
Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts
System Disk And Volume Reconnaissance Via Wmic.EXE
An adversary might use WMI to discover information about the system, such as the volume name, size, free space, and other disk information. This can be done using the 'wmic' command-line utility and has been observed being used by threat actors such as Volt Typhoon.
WMIC Remote Command Execution
Detects the execution of WMIC to query information on a remote system
Service Started/Stopped Via Wmic.EXE
Detects usage of wmic to start or stop a service
Potential Remote SquiblyTwo Technique Execution
Detects potential execution of the SquiblyTwo technique that leverages Windows Management Instrumentation (WMI) to execute malicious code remotely. This technique bypasses application whitelisting by using wmic.exe to process malicious XSL (eXtensible Stylesheet Language) scripts that can contain embedded JScript or VBScript. The attack typically works by fetching XSL content from a remote source (using HTTP/HTTPS) and executing it with full trust privileges directly in memory, avoiding disk-based detection mechanisms. This is a common LOLBin (Living Off The Land Binary) technique used for defense evasion and code execution.
Registry Manipulation via WMI Stdregprov
Detects the usage of wmic.exe to manipulate Windows registry via the WMI StdRegProv class. This behaviour could be potentially suspicious because it uses an alternative method to modify registry keys instead of legitimate registry tools like reg.exe or regedit.exe. Attackers specifically choose this technique to evade detection and bypass security monitoring focused on traditional registry modification commands.
Suspicious WMIC Execution Via Office Process
Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).
Suspicious Process Created Via Wmic.EXE
Detects WMIC executing "process call create" with suspicious calls to processes such as "rundll32", "regsrv32", etc.
Application Terminated Via Wmic.EXE
Detects calls to the "terminate" function via wmic in order to kill an application
Application Removed Via Wmic.EXE
Detects the removal or uninstallation of an application via "Wmic.EXE".
Potential Tampering With Security Products Via WMIC
Detects uninstallation or termination of security products using the WMIC utility
XSL Script Execution Via WMIC.EXE
Detects the execution of WMIC with the "format" flag to potentially load local XSL files. Adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files.
WmiPrvSE Spawned A Process
Detects WmiPrvSE spawning a process
Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell
Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI.
Suspicious WmiPrvSE Child Process
Detects suspicious and uncommon child processes of WmiPrvSE
UEFI Persistence Via Wpbbin - ProcessCreation
Detects execution of the binary "wpbbin" which is used as part of the UEFI based persistence method described in the reference section
Potential Dropper Script Execution Via WScript/CScript
Detects wscript/cscript executions of scripts located in user directories