Sigma Rules
1,701 rules found
Vulnerable WinRing0 Driver Load
Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation
WinDivert Driver Load
Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows
Unusual File Modification by dns.exe
Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
Exchange PowerShell Cmdlet History Deleted
Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence
Prefetch File Deleted
Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence
Unusual File Deletion by Dns.exe
Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
Suspicious Binary Writes Via AnyDesk
Detects AnyDesk writing binary files to disk other than "gcapi.dll". According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)
Suspicious File Created by ArcSOC.exe
Detects instances where the ArcGIS Server process ArcSOC.exe, which hosts REST services running on an ArcGIS server, creates a file with suspicious file type, indicating that it may be an executable, script file, or otherwise unusual.
BloodHound Collection Files
Detects default file names outputted by the BloodHound collection tool SharpHound
Creation Exe for Service with Unquoted Path
Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
Cred Dump Tools Dropped Files
Files with well-known filenames (parts of credential dump software or files produced by them) creation
WScript or CScript Dropper - File
Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe
DLL Search Order Hijackig Via Additional Space in Path
Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...) but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack
Suspicious ASPX File Drop by Exchange
Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder
Uncommon File Created by Notepad++ Updater Gup.EXE
Detects when the Notepad++ updater (gup.exe) creates files in suspicious or uncommon locations. This could indicate potential exploitation of the updater component to deliver unwanted malware or unwarranted files.
HackTool - CrackMapExec File Indicators
Detects file creation events with filename patterns used by CrackMapExec.
HackTool - Typical HiveNightmare SAM File Export
Detects files written by the different tools that exploit HiveNightmare
HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators
Detects the creation of file with specific names used by RemoteKrbRelay SMB Relay attack module.
HackTool - NPPSpy Hacktool Usage
Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file
HackTool - Powerup Write Hijack DLL
Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. In it's default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies on creation of the malicious bat file (debug.bat by default).
HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump
Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.
HackTool - SafetyKatz Dump Indicator
Detects default lsass dump filename generated by SafetyKatz.
HackTool - Impacket File Indicators
Detects file creation events with filename patterns used by Impacket.
Malicious DLL File Dropped in the Teams or OneDrive Folder
Detects creation of a malicious DLL file in the location where the OneDrive or Team applications Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded
ISO File Created Within Temp Folders
Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.
LSASS Process Memory Dump Files
Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials.
LSASS Process Dump Artefact In CrashDumps Folder
Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.
WerFault LSASS Process Memory Dump
Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials
Adwind RAT / JRAT File Artifact
Detects javaw.exe in AppData folder as used by Adwind / JRAT
Octopus Scanner Malware
Detects Octopus Scanner Malware.
File Creation In Suspicious Directory By Msdt.EXE
Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities
Uncommon File Creation By Mysql Daemon Process
Detects the creation of files with scripting or executable extensions by Mysql daemon. Which could be an indicator of "User Defined Functions" abuse to download malware.
Suspicious DotNET CLR Usage Log Artifact
Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.
Suspicious File Creation In Uncommon AppData Folder
Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs
NTDS.DIT Creation By Uncommon Parent Process
Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon parent process or directory
NTDS.DIT Creation By Uncommon Process
Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon process or a process located in a suspicious directory
NTDS Exfiltration Filename Patterns
Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration.
Potential Persistence Via Microsoft Office Add-In
Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel).
Office Macro File Creation From Suspicious Process
Detects the creation of a office macro file from a a suspicious process
Suspicious File Created Via OneNote Application
Detects suspicious files created via the OneNote application. This could indicate a potential malicious ".one"/".onepkg" file was executed as seen being used in malware activity in the wild
Potential Persistence Via Outlook Form
Detects the creation of a new Outlook form which can contain malicious code
Suspicious File Created in Outlook Temporary Directory
Detects the creation of files with suspicious file extensions in the temporary directory that Outlook uses when opening attachments. This can be used to detect spear-phishing campaigns that use suspicious files as attachments, which may contain malicious code.
Suspicious Outlook Macro Created
Detects the creation of a macro file for Outlook.
Potential Persistence Via Microsoft Office Startup Folder
Detects creation of Microsoft Office files inside of one of the default startup folders in order to achieve persistence.
File With Uncommon Extension Created By An Office Application
Detects the creation of files with an executable or script extension by an Office application.
Uncommon File Created In Office Startup Folder
Detects the creation of a file with an uncommon extension in an Office application startup folder
PCRE.NET Package Temp Files
Detects processes creating temp files related to PCRE.NET package
Malicious PowerShell Scripts - FileCreation
Detects the creation of known offensive powershell scripts used for exploitation