Sigma Rules
889 rules found for "persistence"
Suspicious Shells Spawn by Java Utility Keytool
Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)
Suspicious Processes Spawned by Java.EXE
Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)
Shell Process Spawned by Java.EXE
Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)
Attempts of Kerberos Coercion Via DNS SPN Spoofing
Detects the presence of "UWhRC....AAYBAAAA" pattern in command line. The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure. Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts. It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like in CVE-2025-33073. If you see this pattern in the command line, it is likely an attempt to add spoofed Service Principal Names (SPNs) to DNS records, or checking for the presence of such records through the `nslookup` command.
Potentially Suspicious Child Process of KeyScrambler.exe
Detects potentially suspicious child processes of KeyScrambler.exe
Ie4uinit Lolbin Use From Invalid Path
Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories
Using SettingSyncHost.exe as LOLBin
Detects using SettingSyncHost.exe to run hijacked binary
Suspicious Driver Install by pnputil.exe
Detects when a possible suspicious driver is being installed via pnputil.exe lolbin
Suspicious GrpConv Execution
Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors
Potential Register_App.Vbs LOLScript Abuse
Detects potential abuse of the "register_app.vbs" script that is part of the Windows SDK. The script offers the capability to register new VSS/VDS Provider as a COM+ application. Attackers can use this to install malicious DLLs for persistence and execution.
Potential Mpclient.DLL Sideloading Via Defender Binaries
Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.
Potential Process Injection Via Msra.EXE
Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics
Suspicious Child Process Of SQL Server
Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.
Suspicious Child Process Of Veeam Dabatase
Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.
Password Provided In Command Line Of Net.EXE
Detects a when net.exe is called with a password in the command line
New User Created Via Net.EXE
Identifies the creation of local users via the net.exe command.
New User Created Via Net.EXE With Never Expire Option
Detects creation of local users via the net.exe command with the option "never expire"
Potential Persistence Via Netsh Helper DLL
Detects the execution of netsh with "add helper" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.
Outlook EnableUnsafeClientMailRules Setting Enabled
Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
Suspicious Remote Child Process From Outlook
Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).
New Service Creation Using PowerShell
Detects the creation of a new service using powershell.
Abuse of Service Permissions to Hide Services Via Set-Service
Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
Unsigned AppX Installation Attempt Using Add-AppxPackage
Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages
MSExchange Transport Agent Installation
Detects the Installation of a Exchange Transport Agent
Suspicious Service DACL Modification Via Set-Service Cmdlet
Detects suspicious DACL modifications via the "Set-Service" cmdlet using the "SecurityDescriptorSddl" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable
PUA - Kernel Driver Utility (KDU) Execution
Detects execution of the Kernel Driver Utility (KDU) tool. KDU can be used to bypass driver signature enforcement and load unsigned or malicious drivers into the Windows kernel. Potentially allowing for privilege escalation, persistence, or evasion of security controls.
PUA - Process Hacker Execution
Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc). Process Hacker is a tool to view and manipulate processes, kernel options and other low level options. Threat actors abused older vulnerable versions to manipulate system processes.
PUA - System Informer Execution
Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations
Potential Persistence Attempt Via Run Keys Using Reg.EXE
Detects suspicious command line reg.exe tool adding key to RUN key in Registry
Dropping Of Password Filter DLL
Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS
Potentially Suspicious Desktop Background Change Using Reg.EXE
Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.
Direct Autorun Keys Modification
Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.
Potential Suspicious Registry File Imported Via Reg.EXE
Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility
RestrictedAdminMode Registry Value Tampering - ProcCreation
Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
Enable LM Hash Storage - ProcCreation
Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.
Potential Tampering With RDP Related Registry Keys Via Reg.EXE
Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values
Suspicious ScreenSave Change by Reg.exe
Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
Changing Existing Service ImagePath Value Via Reg.EXE
Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
Reg Add Suspicious Paths
Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys
Imports Registry Key From a File
Detects the import of the specified file to the registry with regedit.exe.
Imports Registry Key From an ADS
Detects the import of a alternate datastream to the registry with regedit.exe.
Suspicious Registry Modification From ADS Via Regini.EXE
Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.
Registry Modification Via Regini.EXE
Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.
DLL Execution Via Register-cimprovider.exe
Detects using register-cimprovider.exe to execute arbitrary dll file.
Suspicious Debugger Registration Cmdline
Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).
Potential Persistence Via Logon Scripts - CommandLine
Detects the addition of a new LogonScript to the registry value "UserInitMprLogonScript" for potential persistence
Potential Privilege Escalation via Service Permissions Weakness
Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level
Persistence Via TypedPaths - CommandLine
Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt