Sigma Rules
1,478 rules found for "execution"
Uncommon FileSystem Load Attempt By Format.com
Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which "format.com" is used to load malicious DLL files or other programs.
Use of FSharp Interpreters
Detects the execution of FSharp Interpreters "FsiAnyCpu.exe" and "FSi.exe" Both can be used for AWL bypass and to execute F# code via scripts or inline.
Potentially Suspicious NTFS Symlink Behavior Modification
Detects the modification of NTFS symbolic link behavior using fsutil, which could be used to enable remote to local or remote to remote symlinks for potential attacks.
Potential Arbitrary Command Execution Via FTP.EXE
Detects execution of "ftp.exe" script with the "-s" or "/s" flag and any child processes ran by "ftp.exe".
Arbitrary File Download Via GfxDownloadWrapper.EXE
Detects execution of GfxDownloadWrapper.exe with a URL as an argument to download file.
Suspicious Git Clone
Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious
Github Self-Hosted Runner Execution
Detects GitHub self-hosted runners executing workflows on local infrastructure that could be abused for persistence and code execution. Shai-Hulud is an npm supply chain worm targeting CI/CD environments. It installs runners on compromised systems to maintain access after credential theft, leveraging their access to secrets and internal networks.
File Decryption Using Gpg4win
Detects usage of Gpg4win to decrypt files
File Encryption Using Gpg4win
Detects usage of Gpg4win to encrypt files
Portable Gpg.EXE Execution
Detects the execution of "gpg.exe" from uncommon location. Often used by ransomware and loaders to decrypt/encrypt data.
File Encryption/Decryption Via Gpg4win From Suspicious Locations
Detects usage of Gpg4win to encrypt/decrypt files located in potentially suspicious locations.
Gpresult Display Group Policy Information
Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information
Arbitrary Binary Execution Using GUP Utility
Detects execution of the Notepad++ updater (gup) to launch other commands or executables
File Download Using Notepad++ GUP Utility
Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.
Suspicious GUP Usage
Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks
HH.EXE Execution
Detects the execution of "hh.exe" to open ".chm" files.
Remote CHM File Download/Execution Via HH.EXE
Detects the usage of "hh.exe" to execute/download remotely hosted ".chm" files.
HTML Help HH.EXE Suspicious Child Process
Detects a suspicious child process of a Microsoft HTML Help (HH.exe)
Suspicious HH.EXE Execution
Detects a suspicious execution of a Microsoft HTML Help (HH.exe)
HackTool - ADCSPwn Execution
Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service
HackTool - Bloodhound/Sharphound Execution
Detects command line parameters used by Bloodhound and Sharphound hack tools
HackTool - Certify Execution
Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments.
HackTool - Certipy Execution
Detects Certipy execution, a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.
Operator Bloopers Cobalt Strike Commands
Detects use of Cobalt Strike commands accidentally entered in the CMD shell
Operator Bloopers Cobalt Strike Modules
Detects Cobalt Strike module/commands accidentally entered in CMD shell
Potential CobaltStrike Process Patterns
Detects potential process patterns related to Cobalt Strike beacon activity
HackTool - CoercedPotato Execution
Detects the use of CoercedPotato, a tool for privilege escalation
HackTool - Covenant PowerShell Launcher
Detects suspicious command lines used in Covenant luanchers
HackTool - CrackMapExec Execution
This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.
HackTool - CrackMapExec Execution Patterns
Detects various execution patterns of the CrackMapExec pentesting framework
HackTool - CrackMapExec PowerShell Obfuscation
The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.
HackTool - CreateMiniDump Execution
Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine
HackTool - DInjector PowerShell Cradle Execution
Detects the use of the Dinject PowerShell cradle based on the specific flags
HackTool - Doppelanger LSASS Dumper Execution
Detects the execution of the Doppelanger hacktool which is used to dump LSASS memory via process cloning while evading common detection methods
HackTool - Dumpert Process Dumper Execution
Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory
Hacktool - EDR-Freeze Execution
Detects execution of EDR-Freeze, a tool that exploits the MiniDumpWriteDump function and WerFaultSecure.exe to suspend EDR and Antivirus processes on Windows. EDR-Freeze leverages a race-condition attack to put security processes into a dormant state by suspending WerFaultSecure at the moment it freezes the target process. This technique does not require kernel-level exploits or BYOVD, but instead abuses user-mode functionality to temporarily disable monitoring by EDR or Antimalware solutions.
HackTool - EDRSilencer Execution
Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.
HackTool - Empire PowerShell Launch Parameters
Detects suspicious powershell command line parameters used in Empire
Hacktool Execution - Imphash
Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed
Hacktool Execution - PE Metadata
Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed
HackTool - GMER Rootkit Detector and Remover Execution
Detects the execution GMER tool based on image and hash fields.
HackTool - HandleKatz LSASS Dumper Execution
Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same
HackTool - Hashcat Password Cracker Execution
Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against
HackTool - HollowReaper Execution
Detects usage of HollowReaper, a process hollowing shellcode launcher used for stealth payload execution through process hollowing. It replaces the memory of a legitimate process with custom shellcode, allowing the attacker to execute payloads under the guise of trusted binaries.
HackTool - Htran/NATBypass Execution
Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass)
HackTool - Hydra Password Bruteforce Execution
Detects command line parameters used by Hydra password guessing hack tool
HackTool - Potential Impacket Lateral Movement Activity
Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework
HackTool - Impacket Tools Execution
Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)