Sigma Rules
1,607 rules found
Cscript/Wscript Potentially Suspicious Child Process
Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32. Malware such as Pikabot and Qakbot were seen using similar techniques as well as many others.
Cscript/Wscript Uncommon Script Extension Execution
Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension
WSL Child Process Anomaly
Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL
Installation of WSL Kali-Linux
Detects installation of Kali Linux distribution through Windows Subsystem for Linux (WSL). Attackers may use Kali Linux WSL to leverage its penetration testing tools and capabilities for malicious purposes.
WSL Kali-Linux Usage
Detects the use of Kali Linux through Windows Subsystem for Linux
Windows Binary Executed From WSL
Detects the execution of Windows binaries from within a WSL instance. This could be used to masquerade parent-child relationships
Proxy Execution Via Wuauclt.EXE
Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution.
Suspicious Windows Update Agent Empty Cmdline
Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags
Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths
Detects the execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract ".cab" files using the "/extract" argument from potentially suspicious paths.
Wusa.EXE Executed By Parent Process Located In Suspicious Location
Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location. Attackers could instantiate an instance of "wusa.exe" in order to bypass User Account Control (UAC). They can duplicate the access token from "wusa.exe" to gain elevated privileges.
Xwizard.EXE Execution From Non-Default Location
Detects the execution of Xwizard tool from a non-default directory. When executed from a non-default directory, this utility can be abused in order to side load a custom version of "xwizards.dll".
COM Object Execution via Xwizard.EXE
Detects the execution of Xwizard tool with the "RunWizard" flag and a GUID like argument. This utility can be abused in order to run custom COM object created in the registry.
ZxShell Malware
Detects a ZxShell start by the called and well-known function name
Turla Group Lateral Movement
Detects automated lateral movement by Turla group
Turla Group Commands May 2020
Detects commands used by Turla group as reported by ESET in May 2020
Exploit for CVE-2015-1641
Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641
Exploit for CVE-2017-0261
Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262
Droppers Exploiting CVE-2017-11882
Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe
Exploit for CVE-2017-8759
Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759
Adwind RAT / JRAT
Detects javaw.exe in AppData folder as used by Adwind / JRAT
Fireball Archer Install
Detects Archer malware invocation via rundll32
NotPetya Ransomware Activity
Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil
Potential PlugX Activity
Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location
WannaCry Ransomware Activity
Detects WannaCry ransomware activity
Potential APT10 Cloud Hopper Activity
Detects potential process and execution activity related to APT10 Cloud Hopper operation
Ps.exe Renamed SysInternals Tool
Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report
Lazarus System Binary Masquerading
Detects binaries used by the Lazarus group which use system names but are executed and launched from non-default location
Elise Backdoor Activity
Detects Elise backdoor activity used by APT32
APT27 - Emissary Panda Activity
Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27
Sofacy Trojan Loader Activity
Detects Trojan loader activity as used by APT28
APT29 2018 Phishing Campaign CommandLine Indicators
Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant
Potential MuddyWater APT Activity
Detects potential Muddywater APT activity
OilRig APT Activity
Detects OilRig activity as reported by Nyotron in their March 2018 report
Defrag Deactivation
Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group
TropicTrooper Campaign November 2018
Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia
Potential BearLPE Exploitation
Detects potential exploitation of the BearLPE exploit using Task Scheduler ".job" import arbitrary DACL write\par
Exploiting SetupComplete.cmd CVE-2019-1378
Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378
Exploiting CVE-2019-1388
Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM
Sudo Privilege Escalation CVE-2019-14287
Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287
Potential Baby Shark Malware Activity
Detects activity that could be related to Baby Shark malware
Potential Dridex Activity
Detects potential Dridex acitvity via specific process patterns
Potential Dtrack RAT Activity
Detects potential Dtrack RAT activity via specific process patterns
Potential Emotet Activity
Detects all Emotet like process executions that are not covered by the more generic rules
Formbook Process Creation
Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.
LockerGoga Ransomware Activity
Detects LockerGoga ransomware activity via specific command line.
Potential QBot Activity
Detects potential QBot activity by looking for process executions used previously by QBot
Potential Ryuk Ransomware Activity
Detects Ryuk ransomware activity
Potential Snatch Ransomware Activity
Detects specific process characteristics of Snatch ransomware word document droppers