Sigma Rules
1,607 rules found
Scheduled Task Creation From Potential Suspicious Parent Location
Detects the execution of "schtasks.exe" from a parent that is located in a potentially suspicious location. Multiple malware strains were seen exhibiting a similar behavior in order to achieve persistence.
SC.EXE Query Execution
Detects execution of "sc.exe" to query information about registered services on the system
Potential CommandLine Obfuscation Using Unicode Characters
Detects potential CommandLine obfuscation using unicode characters. Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
Potentially Suspicious Compression Tool Parameters
Detects potentially suspicious command line arguments of common data compression tools
Elevated System Shell Spawned
Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges. Use this rule to hunt for potential suspicious processes.
EventLog Query Requests By Builtin Utilities
Detect attempts to query the contents of the event log using command line utilities. Attackers use this technique in order to look for sensitive information in the logs such as passwords, usernames, IPs, etc.
Potential Suspicious Execution From GUID Like Folder Names
Detects potential suspicious execution of a GUID like folder name located in a suspicious location such as %TEMP% as seen being used in IcedID attacks. Use this rule to hunt for potentially suspicious activity stemming from uncommon folders.
Execution From Webserver Root Folder
Detects a program executing from a web server root folder. Use this rule to hunt for potential interesting activity such as webshell or backdoors
Tunneling Tool Execution
Detects the execution of well known tools that can be abused for data exfiltration and tunneling.
File or Folder Permissions Modifications
Detects a file or folder's permissions being modified or tampered with.
Use Short Name Path in Command Line
Detects the use of short name paths (8.3 format) in command lines, which can be used to obfuscate paths or access restricted locations. Windows creates short 8.3 filenames (like PROGRA~1) for compatibility with MS-DOS-based or 16-bit Windows programs. When investigating, examine: - Commands using short paths to access sensitive directories or files - Web servers on Windows (especially Apache) where short filenames could bypass security controls - Correlation with other suspicious behaviors - baseline of short name usage in your environment and look for deviations
HTML File Opened From Download Folder
Detects web browser process opening an HTML file from a user's Downloads folder. This behavior is could be associated with phishing attacks where threat actors send HTML attachments to users. When a user opens such an attachment, it can lead to the execution of malicious scripts or the download of malware. During investigation, analyze the HTML file for embedded scripts or links, check for any subsequent downloads or process executions, and investigate the source of the email or message containing the attachment.
Potential Executable Run Itself As Sacrificial Process
Detects when an executable launches an identical instance of itself, a behavior often used to create a suspended “sacrificial” process for code injection or evasion. Investigate for indicators such as the process being started in suspended mode, rapid parent termination, memory manipulation (e.g., WriteProcessMemory, CreateRemoteThread), or unsigned binaries. Review command-line arguments, process ancestry, and network activity to confirm if this is legitimate behavior or process injection activity.
Manual Execution of Script Inside of a Compressed File
This is a threat-hunting query to collect information related to the interactive execution of a script from inside a compressed file (zip/rar). Windows will automatically run the script using scripting interpreters such as wscript and cscript binaries. From the query below, the child process is the script interpreter that will execute the script. The script extension is also a set of standard extensions that Windows OS recognizes. Selections 1-3 contain three different execution scenarios. 1. Compressed file opened using 7zip. 2. Compressed file opened using WinRar. 3. Compressed file opened using native windows File Explorer capabilities. When the malicious script is double-clicked, it will be extracted to the respected directories as signified by the CommandLine on each of the three Selections. It will then be executed using the relevant script interpreter."
Process Terminated Via Taskkill
Detects execution of "taskkill.exe" in order to stop a service or a process. Look for suspicious parents executing this command in order to hunt for potential malicious activity. Attackers might leverage this in order to conduct data destruction or data encrypted for impact on the data stores of services like Exchange and SQL Server.
Suspicious Tasklist Discovery Command
Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network
Process Execution From WebDAV Share
Detects execution of processes with image paths starting with WebDAV shares (\\), which might indicate malicious file execution from remote web shares. Execution of processes from WebDAV shares can be a sign of lateral movement or exploitation attempts, especially if the process is not a known legitimate application. Exploitation Attempt of vulnerabilities like CVE-2025-33053 also involves executing processes from WebDAV paths.
FTP Connection Open Attempt Via Winscp CLI
Detects the execution of Winscp with the "-command" and the "open" flags in order to open an FTP connection. Akira ransomware was seen using this technique in order to exfiltrate data.
Winscp Execution From Non Standard Folder
Detects the execution of Winscp from an a non standard folder. This could indicate the execution of Winscp portable.
System Information Discovery Via Wmic.EXE
Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, including OS, CPU, GPU, disk drive names, memory capacity, display resolution, baseboard, BIOS, and GPU driver products/versions.
WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Detects script file execution (.js, .jse, .vba, .vbe, .vbs, .wsf) by Wscript/Cscript
Arbitrary Command Execution Using WSL
Detects potential abuse of Windows Subsystem for Linux (WSL) binary as a Living of the Land binary in order to execute arbitrary Linux or Windows commands.
Cab File Extraction Via Wusa.EXE
Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract cab using the "/extract" argument that is no longer supported.