Sigma Rules
1,585 rules found for "defense-evasion"
DLL Load By System Process From Suspicious Locations
Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location or a location with permissive permissions such as "C:\Users\Public"
Python Image Load By Non-Python Process
Detects the image load of "Python Core" by a non-Python process. This might be indicative of a execution of executable that has been bundled from Python code. Various tools like Py2Exe, PyInstaller, and cx_Freeze are used to bundle Python code into standalone executables. Threat actors often use these tools to bundle malicious Python scripts into executables, sometimes to obfuscate the code or to bypass security measures.
DotNet CLR DLL Loaded By Scripting Applications
Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.
Unsigned DLL Loaded by Windows Utility
Detects windows utilities loading an unsigned or untrusted DLL. Adversaries often abuse those programs to proxy execution of malicious code.
Suspicious Unsigned Thor Scanner Execution
Detects loading and execution of an unsigned thor scanner binary.
UAC Bypass Using Iscsicpl - ImageLoad
Detects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%
UAC Bypass With Fake DLL
Attempts to load dismcore.dll after dropping it
MMC Loading Script Engines DLLs
Detects when the Microsoft Management Console (MMC) loads the DLL libraries like vbscript, jscript etc which might indicate an attempt to execute malicious scripts within a trusted system process for bypassing application whitelisting or defense evasion.
Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
Detects loading of dbgcore.dll or dbghelp.dll from uncommon locations such as user directories. These DLLs contain the MiniDumpWriteDump function, which can be abused for credential dumping purposes or in some cases for evading EDR/AV detection by suspending processes.
Trusted Path Bypass via Windows Directory Spoofing
Detects DLLs loading from a spoofed Windows directory path with an extra space (e.g "C:\Windows \System32") which can bypass Windows trusted path verification. This technique tricks Windows into treating the path as trusted, allowing malicious DLLs to load with high integrity privileges bypassing UAC.
WMIC Loading Scripting Libraries
Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc). It could be an indicator of SquiblyTwo technique, which uses Windows Management Instrumentation (WMI) to execute malicious code.
Network Connection Initiated By AddinUtil.EXE
Detects a network connection initiated by the Add-In deployment cache updating utility "AddInutil.exe". This could indicate a potential command and control communication as this tool doesn't usually initiate network activity.
Outbound Network Connection Initiated By Cmstp.EXE
Detects a network connection initiated by Cmstp.EXE Its uncommon for "cmstp.exe" to initiate an outbound network connection. Investigate the source of such requests to determine if they are malicious.
Network Connection Initiated Via Notepad.EXE
Detects a network connection that is initiated by the "notepad.exe" process. This might be a sign of process injection from a beacon process or something similar. Notepad rarely initiates a network communication except when printing documents for example.
Office Application Initiated Network Connection Over Uncommon Ports
Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports.
RegAsm.EXE Initiating Network Connection To Public IP
Detects "RegAsm.exe" initiating a network connection to public IP adresses
Network Connection Initiated By Regsvr32.EXE
Detects a network connection initiated by "Regsvr32.exe"
Rundll32 Internet Connection
Detects a rundll32 that communicates with public IP addresses
Silenttrinity Stager Msbuild Activity
Detects a possible remote connections to Silenttrinity c2
Suspicious Network Connection Binary No CommandLine
Detects suspicious network connections made by a well-known Windows binary run with no command line parameters
Uncommon Outbound Kerberos Connection
Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.
Microsoft Sync Center Suspicious Network Connections
Detects suspicious connections from Microsoft Sync Center to non-private IPs.
Outbound Network Connection To Public IP Via Winlogon
Detects a "winlogon.exe" process that initiate network communications with public IP addresses
Suspicious Wordpad Outbound Connections
Detects a network connection initiated by "wordpad.exe" over uncommon destination ports. This might indicate potential process injection activity from a beacon or similar mechanisms.
Potentially Suspicious Wuauclt Network Connection
Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making network connections. One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.
CobaltStrike Named Pipe
Detects the creation of a named pipe as used by CobaltStrike
CobaltStrike Named Pipe Pattern Regex
Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles
CobaltStrike Named Pipe Patterns
Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles
HackTool - CoercedPotato Named Pipe Creation
Detects the pattern of a pipe name as used by the hack tool CoercedPotato
HackTool - EfsPotato Named Pipe Creation
Detects the pattern of a pipe name as used by the hack tool EfsPotato
HackTool - Koh Default Named Pipe
Detects creation of default named pipes used by the Koh tool
Malicious Named Pipe Created
Detects the creation of a named pipe seen used by known APTs or malware.
PowerShell Downgrade Attack - PowerShell
Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
PowerShell Called from an Executable Version Mismatch
Detects PowerShell called from an executable by the version mismatch method
Potential RemoteFXvGPUDisablement.EXE Abuse
Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
Renamed Powershell Under Powershell Channel
Detects a renamed Powershell execution, which is a common technique used to circumvent security controls and bypass detection logic that's dependent on process names and process paths.
Tamper Windows Defender - PSClassic
Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.
Clear PowerShell History - PowerShell Module
Detects keywords that could indicate clearing PowerShell history
PowerShell Decompress Commands
A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files.
Invoke-Obfuscation CLIP+ Launcher - PowerShell Module
Detects Obfuscated use of Clip.exe to execute PowerShell
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below
Invoke-Obfuscation STDIN+ Launcher - PowerShell Module
Detects Obfuscated use of stdin to execute PowerShell
Invoke-Obfuscation VAR+ Launcher - PowerShell Module
Detects Obfuscated use of Environment Variables to execute PowerShell
Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module
Detects Obfuscated Powershell via COMPRESS OBFUSCATION
Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module
Detects Obfuscated Powershell via RUNDLL LAUNCHER
Invoke-Obfuscation Via Stdin - PowerShell Module
Detects Obfuscated Powershell via Stdin in Scripts
Invoke-Obfuscation Via Use Clip - PowerShell Module
Detects Obfuscated Powershell via use Clip.exe in Scripts
Invoke-Obfuscation Via Use MSHTA - PowerShell Module
Detects Obfuscated Powershell via use MSHTA in Scripts