Sigma Rules
889 rules found for "persistence"
Regsvr32 DLL Execution With Uncommon Extension
Detects a "regsvr32" execution where the DLL doesn't contain a common file extension.
Remote Access Tool - ScreenConnect Installation Execution
Detects ScreenConnect program starts that establish a remote access to a system.
Remote Access Tool - Team Viewer Session Started On Windows Host
Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
Renamed Schtasks Execution
Detects the execution of renamed schtasks.exe binary, which is a legitimate Windows utility used for scheduling tasks. One of the very common persistence techniques is schedule malicious tasks using schtasks.exe. Since, it is heavily abused, it is also heavily monitored by security products. To evade detection, threat actors may rename the schtasks.exe binary to schedule their malicious tasks.
Renamed Vmnat.exe Execution
Detects renamed vmnat.exe or portable version that can be used for DLL side-loading
Rundll32 Registered COM Objects
load malicious registered COM objects
Suspicious Rundll32 Setupapi.dll Activity
setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.
ShimCache Flush
Detects actions that clear the local ShimCache and remove forensic evidence
Run Once Task Execution as Configured in Registry
This rule detects the execution of Run Once task as configured in the registry
Possible Privilege Escalation via Weak Service Permissions
Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand
New Service Creation Using Sc.EXE
Detects the creation of a new service using the "sc.exe" utility.
New Kernel Driver Via SC.EXE
Detects creation of a new service (kernel driver) with the type "kernel"
Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.
Deny Service Access Using Security Descriptor Tampering Via Sc.EXE
Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.
Service DACL Abuse To Hide Services Via Sc.EXE
Detects usage of the "sc.exe" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.
Service Security Descriptor Tampering Via Sc.EXE
Detection of sc.exe utility adding a new service with special permission which hides that service.
Suspicious Service Path Modification
Detects service path modification via the "sc" binary to a suspicious command or path
Potential Persistence Attempt Via Existing Service Tampering
Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.
Suspicious Schtasks Execution AppData Folder
Detects the creation of a schtask that executes a file from C:\Users\<USER>\AppData\Local
Suspicious Modification Of Scheduled Tasks
Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location Attackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on Instead they modify the task after creation to include their malicious payload
Scheduled Task Creation Via Schtasks.EXE
Detects the creation of scheduled tasks by user accounts via the "schtasks" utility.
Suspicious Scheduled Task Creation Involving Temp Folder
Detects the creation of scheduled tasks that involves a temporary folder and runs only once
Scheduled Task Creation with Curl and PowerShell Execution Combo
Detects the creation of a scheduled task using schtasks.exe, potentially in combination with curl for downloading payloads and PowerShell for executing them. This facilitates executing malicious payloads or connecting with C&C server persistently without dropping the malware sample on the host.
Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE
Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware
Schtasks From Suspicious Folders
Detects scheduled task creations that have suspicious action command and folder combinations
Suspicious Scheduled Task Name As GUID
Detects creation of a scheduled task with a GUID like name
Uncommon One Time Only Scheduled Task At 00:00
Detects scheduled task creation events that include suspicious actions, and is run once at 00:00
Potential SSH Tunnel Persistence Install Using A Scheduled Task
Detects the creation of new scheduled tasks via commandline, using Schtasks.exe. This rule detects tasks creating that call OpenSSH, which may indicate the creation of reverse SSH tunnel to the attacker's server.
Potential Persistence Via Microsoft Compatibility Appraiser
Detects manual execution of the "Microsoft Compatibility Appraiser" task via schtasks. In order to trigger persistence stored in the "\AppCompatFlags\TelemetryController" registry key.
Potential Persistence Via Powershell Search Order Hijacking - Task
Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader
Scheduled Task Executing Payload from Registry
Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell.
Scheduled Task Executing Encoded Payload from Registry
Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell.
Suspicious Schtasks Schedule Types
Detects scheduled task creations or modification on a suspicious schedule type
Suspicious Schtasks Schedule Type With High Privileges
Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type
Suspicious Scheduled Task Creation via Masqueraded XML File
Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence
Suspicious Command Patterns In Scheduled Task Creation
Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands
Schtasks Creation Or Modification With SYSTEM Privileges
Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges
Scheduled Task Creation Masquerading as System Processes
Detects the creation of scheduled tasks that involve system processes, which may indicate malicious actors masquerading as or abusing these processes to execute payloads or maintain persistence.
Potential Shim Database Persistence via Sdbinst.EXE
Detects installation of a new shim using sdbinst.exe. Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims
Uncommon Extension Shim Database Installation Via Sdbinst.EXE
Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe. Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims
Potential Suspicious Activity Using SeCEdit
Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
NodeJS Execution of JavaScript File
Detects execution of JavaScript or JSC files using NodeJs binary node.exe, that could be potentially suspicious. Node.js is a popular open-source JavaScript runtime that runs code outside browsers and is widely used for both frontend and backend development. Adversaries have been observed abusing Node.js to disguise malware as legitimate processes, evade security defenses, and maintain persistence within target systems. Because Node.js is commonly used, this rule may generate false positives in some environments. However, if such activity is unusual in your environment, it is highly suspicious and warrants immediate investigation.
Setup16.EXE Execution With Custom .Lst File
Detects the execution of "Setup16.EXE" and old installation utility with a custom ".lst" file. These ".lst" file can contain references to external program that "Setup16.EXE" will execute. Attackers and adversaries might leverage this as a living of the land utility.
Potential Amazon SSM Agent Hijacking
Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
User Added to Local Administrators Group
Detects addition of users to the local administrator group via "Net" or "Add-LocalGroupMember".
User Added To Highly Privileged Group
Detects addition of users to highly privileged groups via "Net" or "Add-LocalGroupMember".
User Added to Remote Desktop Users Group
Detects addition of users to the local Remote Desktop Users group via "Net" or "Add-LocalGroupMember".
Writing Of Malicious Files To The Fonts Folder
Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from.