Sigma Rules
794 rules found for "Microsoft"
Sticky Key Like Backdoor Execution
Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
Persistence Via Sticky Key Backdoor
By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system. When the sticky keys are "activated" the privilleged shell is launched.
Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE
Detects usage of cmdkey to look for cached credentials on the system
CMSTP Execution Process Creation
Detects various indicators of Microsoft Connection Manager Profile Installer execution
Suspicious High IntegrityLevel Conhost Legacy Option
ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context.
Windows Credential Guard Registry Tampering Via CommandLine
Detects attempts to add, modify, or delete Windows Credential Guard related registry keys or values via command line tools such as Reg.exe or PowerShell. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation. The rule matches suspicious command lines that target DeviceGuard or LSA registry paths and manipulate keys like EnableVirtualizationBasedSecurity, RequirePlatformSecurityFeatures, or LsaCfgFlags. Such activity may indicate an attempt to disable or tamper with Credential Guard, potentially exposing sensitive credentials for misuse.
Suspicious Csi.exe Usage
Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'
PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction'
Detects the use of PowerShell to execute the 'Set-MpPreference' cmdlet to configure Windows Defender's threat severity default action to 'Allow' (value '6') or 'NoAction' (value '9'). This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level. An attacker might use this technique via the command line to bypass defenses before executing payloads.
Windows Defender Context Menu Removed
Detects the use of reg.exe or PowerShell to delete the Windows Defender context menu handler registry keys. This action removes the "Scan with Microsoft Defender" option from the right-click menu for files, directories, and drives. Attackers may use this technique to hinder manual, on-demand scans and reduce the visibility of the security product.
Suspicious Desktopimgdownldr Command
Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet
Devcon Execution Disabling VMware VMCI Device
Detects execution of devcon.exe with commands that disable the VMware Virtual Machine Communication Interface (VMCI) device. This can be legitimate during VMware Tools troubleshooting or driver conflicts, but may also indicate malware attempting to hijack communication with the hardware via the VMCI device. This has been used to facilitate VMware ESXi vulnerability exploits to escape VMs and execute code on the ESXi host.
Potentially Suspicious Child Process Of DiskShadow.EXE
Detects potentially suspicious child processes of "Diskshadow.exe". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules.
Diskshadow Script Mode - Uncommon Script Extension Execution
Detects execution of "Diskshadow.exe" in script mode to execute an script with a potentially uncommon extension. Initial baselining of the allowed extension list is required.
Diskshadow Script Mode - Execution From Potential Suspicious Location
Detects execution of "Diskshadow.exe" in script mode using the "/s" flag where the script is located in a potentially suspicious location.
PowerShell Web Access Feature Enabled Via DISM
Detects the use of DISM to enable the PowerShell Web Access feature, which could be used for remote access and potential abuse
Potential Discovery Activity Via Dnscmd.EXE
Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.
Process Memory Dump Via Dotnet-Dump
Detects the execution of "dotnet-dump" with the "collect" flag. The execution could indicate potential process dumping of critical processes such as LSASS.
Potentially Over Permissive Permissions Granted Using Dsacls.EXE
Detects usage of Dsacls to grant over permissive permissions
Potential Password Spraying Attempt Using Dsacls.EXE
Detects possible password spraying attempts using Dsacls
Suspicious Kernel Dump Using Dtrace
Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1
Esentutl Steals Browser Information
One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe
Security Tools Keyword Lookup Via Findstr.EXE
Detects execution of "findstr" to search for common names of security tools. Attackers often pipe the results of recon commands such as "tasklist" or "whoami" to "findstr" in order to filter out the results. This detection focuses on the keywords that the attacker might use as a filter.
Use of FSharp Interpreters
Detects the execution of FSharp Interpreters "FsiAnyCpu.exe" and "FSi.exe" Both can be used for AWL bypass and to execute F# code via scripts or inline.
Potentially Suspicious NTFS Symlink Behavior Modification
Detects the modification of NTFS symbolic link behavior using fsutil, which could be used to enable remote to local or remote to remote symlinks for potential attacks.
Fsutil Suspicious Invocation
Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others).
Gpresult Display Group Policy Information
Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information
HTML Help HH.EXE Suspicious Child Process
Detects a suspicious child process of a Microsoft HTML Help (HH.exe)
Suspicious HH.EXE Execution
Detects a suspicious execution of a Microsoft HTML Help (HH.exe)
HackTool - Sliver C2 Implant Activity Pattern
Detects process activity patterns as seen being used by Sliver C2 framework implants
Suspicious Execution of Hostname
Use of hostname to get information
Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine
Detects the tampering of Hypervisor-protected Code Integrity (HVCI) related registry values via command line tool reg.exe. HVCI uses virtualization-based security to protect code integrity by ensuring that only trusted code can run in kernel mode. Adversaries may tamper with HVCI to load malicious or unsigned drivers, which can be used to escalate privileges, maintain persistence, or evade security mechanisms.
Potential Fake Instance Of Hxtsr.EXE Executed
HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications. HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Files". Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe
Microsoft IIS Service Account Password Dumped
Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords
IIS Native-Code Module Command Line Installation
Detects suspicious IIS native-code module installations via command line
Suspicious IIS URL GlobalRules Rewrite Via AppCmd
Detects usage of "appcmd" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells.
Microsoft IIS Connection Strings Decryption
Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.
IIS WebServer Log Deletion via CommandLine Utilities
Detects attempts to delete Internet Information Services (IIS) log files via command line utilities, which is a common defense evasion technique used by attackers to cover their tracks. Threat actors often abuse vulnerabilities in web applications hosted on IIS servers to gain initial access and later delete IIS logs to evade detection.
Suspicious IIS Module Registration
Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors
File Download Via InstallUtil.EXE
Detects use of .NET InstallUtil.exe in order to download arbitrary files. The files will be written to "%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\"
Suspicious Execution of InstallUtil Without Log
Uses the .NET InstallUtil.exe application in order to execute image without log
Suspicious SysAidServer Child
Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions)
Computer Password Change Via Ksetup.EXE
Detects password change for the computer's domain account or host principal via "ksetup.exe"
Logged-On User Password Change Via Ksetup.EXE
Detects password change for the logged-on user's via "ksetup.exe"
Active Directory Structure Export Via Ldifde.EXE
Detects the execution of "ldifde.exe" in order to export organizational Active Directory structure.
Import LDAP Data Interchange Format File Via Ldifde.EXE
Detects the execution of "Ldifde.exe" with the import flag "-i". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.
Uncommon Link.EXE Parent Process
Detects an uncommon parent process of "LINK.EXE". Link.EXE in Microsoft incremental linker. Its a utility usually bundled with Visual Studio installation. Multiple utilities often found in the same folder (editbin.exe, dumpbin.exe, lib.exe, etc) have a hardcode call to the "LINK.EXE" binary without checking its validity. This would allow an attacker to sideload any binary with the name "link.exe" if one of the aforementioned tools get executed from a different location. By filtering the known locations of such utilities we can spot uncommon parent process of LINK.EXE that might be suspicious or malicious.
Rebuild Performance Counter Values Via Lodctr.EXE
Detects the execution of "lodctr.exe" to rebuild the performance counter registry values. This can be abused by attackers by providing a malicious config file to overwrite performance counter configuration to confuse and evade monitoring and security solutions.
LOLBAS Data Exfiltration by DataSvcUtil.exe
Detects when a user performs data exfiltration by using DataSvcUtil.exe