Sigma Rules
1,701 rules found
Renamed Gpg.EXE Execution
Detects the execution of a renamed "gpg.exe". Often used by ransomware and loaders to decrypt/encrypt data.
Renamed Jusched.EXE Execution
Detects the execution of a renamed "jusched.exe" as seen used by the cobalt group
Renamed Mavinject.EXE Execution
Detects the execution of a renamed version of the "Mavinject" process. Which can be abused to perform process injection using the "/INJECTRUNNING" flag
Renamed MegaSync Execution
Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.
Renamed Msdt.EXE Execution
Detects the execution of a renamed "Msdt.exe" binary
Renamed NetSupport RAT Execution
Detects the execution of a renamed "client32.exe" (NetSupport RAT) via Imphash, Product and OriginalFileName strings
Renamed NirCmd.EXE Execution
Detects the execution of a renamed "NirCmd.exe" binary based on the PE metadata fields.
Renamed Office Binary Execution
Detects the execution of a renamed office binary
Renamed PAExec Execution
Detects execution of renamed version of PAExec. Often used by attackers
Renamed PingCastle Binary Execution
Detects the execution of a renamed "PingCastle" binary based on the PE metadata fields.
Renamed Plink Execution
Detects the execution of a renamed version of the Plink binary
Potential Renamed Rundll32 Execution
Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection
Renamed Schtasks Execution
Detects the execution of renamed schtasks.exe binary, which is a legitimate Windows utility used for scheduling tasks. One of the very common persistence techniques is schedule malicious tasks using schtasks.exe. Since, it is heavily abused, it is also heavily monitored by security products. To evade detection, threat actors may rename the schtasks.exe binary to schedule their malicious tasks.
Renamed SysInternals DebugView Execution
Detects suspicious renamed SysInternals DebugView execution
Renamed ProcDump Execution
Detects the execution of a renamed ProcDump executable. This often done by attackers or malware in order to evade defensive mechanisms.
Renamed PsExec Service Execution
Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators
Renamed Sysinternals Sdelete Execution
Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)
Renamed Vmnat.exe Execution
Detects renamed vmnat.exe or portable version that can be used for DLL side-loading
Potential Rundll32 Execution With DLL Stored In ADS
Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).
Suspicious Advpack Call Via Rundll32.EXE
Detects execution of "rundll32" calling "advpack.dll" with potential obfuscated ordinal calls in order to leverage the "RegisterOCX" function
Suspicious Rundll32 Invoking Inline VBScript
Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452
Suspicious Key Manager Access
Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)
Mshtml.DLL RunHTMLApplication Suspicious Usage
Detects execution of commands that leverage the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http...)
Rundll32 Execution Without CommandLine Parameters
Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity
Suspicious NTLM Authentication on the Printer Spooler Service
Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service
Process Memory Dump Via Comsvcs.DLL
Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)
Rundll32 Registered COM Objects
load malicious registered COM objects
Shell32 DLL Execution in Suspicious Directory
Detects shell32.dll executing a DLL in a suspicious directory
RunDLL32 Spawning Explorer
Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way
Suspicious Control Panel DLL Load
Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits
Suspicious Rundll32 Execution With Image Extension
Detects the execution of Rundll32.exe with DLL files masquerading as image files
Suspicious Usage Of ShellExec_RunDLL
Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack
Suspicious ShellExec_RunDLL Call Via Ordinal
Detects suspicious call to the "ShellExec_RunDLL" exported function of SHELL32.DLL through the ordinal number to launch other commands. Adversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine.
ShimCache Flush
Detects actions that clear the local ShimCache and remove forensic evidence
Suspicious Rundll32 Activity Invoking Sys File
Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452
Rundll32 UNC Path Execution
Detects rundll32 execution where the DLL is located on a remote location (share)
Suspicious WebDav Client Execution Via Rundll32.EXE
Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397
Rundll32 Execution Without Parameters
Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module
Possible Privilege Escalation via Weak Service Permissions
Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand
Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.
Deny Service Access Using Security Descriptor Tampering Via Sc.EXE
Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.
Service DACL Abuse To Hide Services Via Sc.EXE
Detects usage of the "sc.exe" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.
Suspicious Service Path Modification
Detects service path modification via the "sc" binary to a suspicious command or path
Suspicious Schtasks Execution AppData Folder
Detects the creation of a schtask that executes a file from C:\Users\<USER>\AppData\Local
Suspicious Modification Of Scheduled Tasks
Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location Attackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on Instead they modify the task after creation to include their malicious payload
Suspicious Scheduled Task Creation Involving Temp Folder
Detects the creation of scheduled tasks that involves a temporary folder and runs only once
Delete Important Scheduled Task
Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities
Delete All Scheduled Tasks
Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.