Sigma Rules
1,473 rules found
Potential Password Reconnaissance Via Findstr.EXE
Detects command line usage of "findstr" to search for the "passwords" keyword in a variety of different languages
New Self Extracting Package Created Via IExpress.EXE
Detects the "iexpress.exe" utility creating self-extracting packages. Attackers where seen leveraging "iexpress" to compile packages on the fly via ".sed" files. Investigate the command line options provided to "iexpress" and in case of a ".sed" file, check the contents and legitimacy of it.
Microsoft Workflow Compiler Execution
Detects the execution of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.
SMB over QUIC Via Net.EXE
Detects the mounting of Windows SMB shares over QUIC, which can be an unexpected event in some enterprise environments.
Suspicious New Instance Of An Office COM Object
Detects an svchost process spawning an instance of an office application. This happens when the initial word application creates an instance of one of the Office COM objects such as 'Word.Application', 'Excel.Application', etc. This can be used by malicious actors to create malicious Office documents with macros on the fly. (See vba2clr project in the references)
Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace
Detects the invocation of PowerShell commands with references to classes from the "System.Security.Cryptography" namespace. The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption. These can be used for example in decrypting malicious payload for defense evasion.
Potentially Suspicious PowerShell Child Processes
Detects potentially suspicious child processes spawned by PowerShell. Use this rule to hunt for potential anomalies initiating from PowerShell scripts and commands.
Regsvr32.EXE Calling of DllRegisterServer Export Function Implicitly
Detects execution of regsvr32 with the silent flag and no other flags on a DLL located in an uncommon or potentially suspicious location. When Regsvr32 is called in such a way, it implicitly calls the DLL export function 'DllRegisterServer'.
Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions
Detects the execution of Action1 in order to execute arbitrary code or establish a remote session. Action1 is a powerful Remote Monitoring and Management tool that enables users to execute commands, scripts, and binaries. Through the web interface of action1, the administrator must create a new policy or an app to establish remote execution and then points that the agent is installed. Hunting Opportunity 1- Weed Out The Noise When threat actors execute a script, a command, or a binary through these new policies and apps, the names of these become visible in the command line during the execution process. Below is an example of the command line that contains the deployment of a binary through a policy with name "test_app_1": ParentCommandLine: "C:\WINDOWS\Action1\action1_agent.exe schedule:Deploy_App__test_app_1_1681327673425 runaction:0" After establishing a baseline, we can split the command to extract the policy name and group all the policy names and inspect the results with a list of frequency occurrences. Hunting Opportunity 2 - Remote Sessions On Out Of Office Hours If you have admins within your environment using remote sessions to administer endpoints, you can create a threat-hunting query and modify the time of the initiated sessions looking for abnormal activity.
Remote Access Tool - Ammy Admin Agent Execution
Detects the execution of the Ammy Admin RMM agent for remote management.
Remote Access Tool - Cmd.EXE Execution via AnyViewer
Detects execution of "cmd.exe" via the AnyViewer RMM agent on a remote management sessions.
Remote Access Tool - ScreenConnect Remote Command Execution - Hunting
Detects remote binary or command execution via the ScreenConnect Service. Use this rule in order to hunt for potentially anomalous executions originating from ScreenConnect
DLL Call by Ordinal Via Rundll32.EXE
Detects calls of DLLs exports by ordinal numbers via rundll32.dll.
Rundll32.EXE Calling DllRegisterServer Export Function Explicitly
Detects when the DLL export function 'DllRegisterServer' is called in the commandline by Rundll32 explicitly where the DLL is located in a non-standard path.
Scheduled Task Creation From Potential Suspicious Parent Location
Detects the execution of "schtasks.exe" from a parent that is located in a potentially suspicious location. Multiple malware strains were seen exhibiting a similar behavior in order to achieve persistence.
Potential CommandLine Obfuscation Using Unicode Characters
Detects potential CommandLine obfuscation using unicode characters. Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
Potentially Suspicious Compression Tool Parameters
Detects potentially suspicious command line arguments of common data compression tools
Elevated System Shell Spawned
Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges. Use this rule to hunt for potential suspicious processes.
EventLog Query Requests By Builtin Utilities
Detect attempts to query the contents of the event log using command line utilities. Attackers use this technique in order to look for sensitive information in the logs such as passwords, usernames, IPs, etc.
Execution From Webserver Root Folder
Detects a program executing from a web server root folder. Use this rule to hunt for potential interesting activity such as webshell or backdoors
Tunneling Tool Execution
Detects the execution of well known tools that can be abused for data exfiltration and tunneling.
File or Folder Permissions Modifications
Detects a file or folder's permissions being modified or tampered with.
Use Short Name Path in Command Line
Detects the use of short name paths (8.3 format) in command lines, which can be used to obfuscate paths or access restricted locations. Windows creates short 8.3 filenames (like PROGRA~1) for compatibility with MS-DOS-based or 16-bit Windows programs. When investigating, examine: - Commands using short paths to access sensitive directories or files - Web servers on Windows (especially Apache) where short filenames could bypass security controls - Correlation with other suspicious behaviors - baseline of short name usage in your environment and look for deviations
Manual Execution of Script Inside of a Compressed File
This is a threat-hunting query to collect information related to the interactive execution of a script from inside a compressed file (zip/rar). Windows will automatically run the script using scripting interpreters such as wscript and cscript binaries. From the query below, the child process is the script interpreter that will execute the script. The script extension is also a set of standard extensions that Windows OS recognizes. Selections 1-3 contain three different execution scenarios. 1. Compressed file opened using 7zip. 2. Compressed file opened using WinRar. 3. Compressed file opened using native windows File Explorer capabilities. When the malicious script is double-clicked, it will be extracted to the respected directories as signified by the CommandLine on each of the three Selections. It will then be executed using the relevant script interpreter."
FTP Connection Open Attempt Via Winscp CLI
Detects the execution of Winscp with the "-command" and the "open" flags in order to open an FTP connection. Akira ransomware was seen using this technique in order to exfiltrate data.
Winscp Execution From Non Standard Folder
Detects the execution of Winscp from an a non standard folder. This could indicate the execution of Winscp portable.
WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Detects script file execution (.js, .jse, .vba, .vbe, .vbs, .wsf) by Wscript/Cscript
Arbitrary Command Execution Using WSL
Detects potential abuse of Windows Subsystem for Linux (WSL) binary as a Living of the Land binary in order to execute arbitrary Linux or Windows commands.
Cab File Extraction Via Wusa.EXE
Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract cab using the "/extract" argument that is no longer supported.
Microsoft Office Trusted Location Updated
Detects changes to the registry keys related to "Trusted Location" of Microsoft Office. Attackers might add additional trusted locations to avoid macro security restrictions.
Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace
Detects the setting of a registry inside the "\Shell\Open\Command" value with PowerShell classes from the "System.Security.Cryptography" namespace. The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption. These can be used for example in decrypting malicious payload for defense evasion.
Service Binary in User Controlled Folder
Detects the setting of the "ImagePath" value of a service registry key to a path controlled by a non-administrator user such as "\AppData\" or "\ProgramData\". Attackers often use such directories for staging purposes. This rule might also trigger on badly written software, where if an attacker controls an auto starting service, they might achieve persistence or privilege escalation. Note that while ProgramData is a user controlled folder, software might apply strict ACLs which makes them only accessible to admin users. Remove such folders via filters if you experience a lot of noise.
Default Credentials Usage
Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts. Sigma detects default credentials usage. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management.