Sigma Rules
1,473 rules found
Remote File Download Via Findstr.EXE
Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry.
Findstr Launching .lnk File
Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack
Permission Misconfiguration Reconnaissance Via Findstr.EXE
Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords. This was seen being used in combination with "icacls" and other utilities to spot misconfigured files or folders permissions.
Recon Command Output Piped To Findstr.EXE
Detects the execution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example. Attackers often time use this technique to extract specific information they require in their reconnaissance phase.
Security Tools Keyword Lookup Via Findstr.EXE
Detects execution of "findstr" to search for common names of security tools. Attackers often pipe the results of recon commands such as "tasklist" or "whoami" to "findstr" in order to filter out the results. This detection focuses on the keywords that the attacker might use as a filter.
Filter Driver Unloaded Via Fltmc.EXE
Detect filter driver unloading activity via fltmc.exe
Forfiles Command Execution
Detects the execution of "forfiles" with the "/c" flag. While this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary. Can be used to bypass application whitelisting.
Use of FSharp Interpreters
Detects the execution of FSharp Interpreters "FsiAnyCpu.exe" and "FSi.exe" Both can be used for AWL bypass and to execute F# code via scripts or inline.
Potentially Suspicious NTFS Symlink Behavior Modification
Detects the modification of NTFS symbolic link behavior using fsutil, which could be used to enable remote to local or remote to remote symlinks for potential attacks.
Potential Arbitrary Command Execution Via FTP.EXE
Detects execution of "ftp.exe" script with the "-s" or "/s" flag and any child processes ran by "ftp.exe".
Arbitrary File Download Via GfxDownloadWrapper.EXE
Detects execution of GfxDownloadWrapper.exe with a URL as an argument to download file.
Suspicious Git Clone
Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious
Github Self-Hosted Runner Execution
Detects GitHub self-hosted runners executing workflows on local infrastructure that could be abused for persistence and code execution. Shai-Hulud is an npm supply chain worm targeting CI/CD environments. It installs runners on compromised systems to maintain access after credential theft, leveraging their access to secrets and internal networks.
File Decryption Using Gpg4win
Detects usage of Gpg4win to decrypt files
File Encryption Using Gpg4win
Detects usage of Gpg4win to encrypt files
Portable Gpg.EXE Execution
Detects the execution of "gpg.exe" from uncommon location. Often used by ransomware and loaders to decrypt/encrypt data.
Gpresult Display Group Policy Information
Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information
Arbitrary Binary Execution Using GUP Utility
Detects execution of the Notepad++ updater (gup) to launch other commands or executables
HackTool - WinRM Access Via Evil-WinRM
Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
HackTool - Impersonate Execution
Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
Invoke-Obfuscation COMPRESS OBFUSCATION
Detects Obfuscated Powershell via COMPRESS OBFUSCATION
HackTool - Jlaive In-Memory Assembly Execution
Detects the use of Jlaive to execute assemblies in a copied PowerShell
HackTool - LaZagne Execution
Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer. LaZagne has been leveraged multiple times by threat actors in order to dump credentials.
HackTool - SharpLDAPmonitor Execution
Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects.
Suspicious ZipExec Execution
ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.
Potential Fake Instance Of Hxtsr.EXE Executed
HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications. HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Files". Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe
Use Icacls to Hide File to Everyone
Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files
IIS Native-Code Module Command Line Installation
Detects suspicious IIS native-code module installations via command line
Suspicious IIS URL GlobalRules Rewrite Via AppCmd
Detects usage of "appcmd" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells.
IIS WebServer Log Deletion via CommandLine Utilities
Detects attempts to delete Internet Information Services (IIS) log files via command line utilities, which is a common defense evasion technique used by attackers to cover their tracks. Threat actors often abuse vulnerabilities in web applications hosted on IIS servers to gain initial access and later delete IIS logs to evade detection.
C# IL Code Compilation Via Ilasm.EXE
Detects the use of "Ilasm.EXE" in order to compile C# intermediate (IL) code to EXE or DLL.
InfDefaultInstall.exe .inf Execution
Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.
File Download Via InstallUtil.EXE
Detects use of .NET InstallUtil.exe in order to download arbitrary files. The files will be written to "%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\"
Suspicious Execution of InstallUtil Without Log
Uses the .NET InstallUtil.exe application in order to execute image without log
Java Running with Remote Debugging
Detects a JAVA process running with remote debugging allowing more than just localhost to connect
Shell Process Spawned by Java.EXE
Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)
Suspicious SysAidServer Child
Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions)
Windows Kernel Debugger Execution
Detects execution of the Windows Kernel Debugger "kd.exe".
Potentially Suspicious Child Process of KeyScrambler.exe
Detects potentially suspicious child processes of KeyScrambler.exe
Computer Password Change Via Ksetup.EXE
Detects password change for the computer's domain account or host principal via "ksetup.exe"
Logged-On User Password Change Via Ksetup.EXE
Detects password change for the logged-on user's via "ksetup.exe"
Active Directory Structure Export Via Ldifde.EXE
Detects the execution of "ldifde.exe" in order to export organizational Active Directory structure.
Import LDAP Data Interchange Format File Via Ldifde.EXE
Detects the execution of "Ldifde.exe" with the import flag "-i". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.
Uncommon Link.EXE Parent Process
Detects an uncommon parent process of "LINK.EXE". Link.EXE in Microsoft incremental linker. Its a utility usually bundled with Visual Studio installation. Multiple utilities often found in the same folder (editbin.exe, dumpbin.exe, lib.exe, etc) have a hardcode call to the "LINK.EXE" binary without checking its validity. This would allow an attacker to sideload any binary with the name "link.exe" if one of the aforementioned tools get executed from a different location. By filtering the known locations of such utilities we can spot uncommon parent process of LINK.EXE that might be suspicious or malicious.
Rebuild Performance Counter Values Via Lodctr.EXE
Detects the execution of "lodctr.exe" to rebuild the performance counter registry values. This can be abused by attackers by providing a malicious config file to overwrite performance counter configuration to confuse and evade monitoring and security solutions.
LOLBAS Data Exfiltration by DataSvcUtil.exe
Detects when a user performs data exfiltration by using DataSvcUtil.exe
Suspicious Diantz Alternate Data Stream Execution
Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.
Suspicious Diantz Download and Compress Into a CAB File
Download and compress a remote file and store it in a cab file on local machine.