Sigma Rules
3,332 rules found
Remote Access Tool - ScreenConnect Command Execution
Detects command execution via ScreenConnect RMM
Remote Access Tool - ScreenConnect File Transfer
Detects file being transferred via ScreenConnect RMM
Microsoft Malware Protection Engine Crash - WER
This rule detects a suspicious crash of the Microsoft Malware Protection Engine
AppLocker Prevented Application or Script from Running
Detects when AppLocker prevents the execution of an Application, DLL, Script, MSI, or Packaged-App from running.
Sysinternals Tools AppX Versions Execution
Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths.
Deployment AppX Package Was Blocked By AppLocker
Detects an appx package deployment that was blocked by AppLocker policy.
Remote AppX Package Downloaded from File Sharing or CDN Domain
Detects an appx package that was added to the pipeline of the "to be processed" packages which was downloaded from a file sharing or CDN domain.
AppX Package Deployment Failed Due to Signing Requirements
Detects an appx package deployment / installation with the error code "0x80073cff" which indicates that the package didn't meet the signing requirements.
AppX Located in Known Staging Directory Added to Deployment Pipeline
Detects an appx package that was added to the pipeline of the "to be processed" packages that is located in a known folder often used as a staging directory.
Potential Malicious AppX Package Installation Attempts
Detects potential installation or installation attempts of known malicious appx packages
Deployment Of The AppX Package Was Blocked By The Policy
Detects an appx package deployment that was blocked by the local computer policy. The following events indicate that an AppX package deployment was blocked by a policy: - Event ID 441: The package deployment operation is blocked by the "Allow deployment operations in special profiles" policy - Event ID 442: Deployments to non-system volumes are blocked by the "Disable deployment of Windows Store apps to non-system volumes" policy." - Event ID 453: Package blocked by a platform policy. - Event ID 454: Package blocked by a platform policy.
AppX Located in Uncommon Directory Added to Deployment Pipeline
Detects an appx package that was added to the pipeline of the "to be processed" packages that is located in uncommon locations.
Suspicious Digital Signature Of AppX Package
Detects execution of AppX packages with known suspicious or malicious signature
New BITS Job Created Via Bitsadmin
Detects the creation of a new bits job by Bitsadmin
New BITS Job Created Via PowerShell
Detects the creation of a new bits job by PowerShell
BITS Transfer Job Downloading File Potential Suspicious Extension
Detects new BITS transfer job saving local files with potential suspicious extensions
BITS Transfer Job Download From File Sharing Domains
Detects BITS transfer job downloading files from a file sharing domain.
BITS Transfer Job Download From Direct IP
Detects a BITS transfer job downloading file(s) from a direct IP address.
BITS Transfer Job With Uncommon Or Suspicious Remote TLD
Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.
BITS Transfer Job Download To Potential Suspicious Folder
Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location
Certificate Private Key Acquired
Detects when an application acquires a certificate private key
Certificate Exported From Local Certificate Store
Detects when an application exports a certificate (and potentially the private key as well) from the local Windows certificate store.
CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked
Detects block events for files that are disallowed by code integrity for protected processes
CodeIntegrity - Blocked Image/Driver Load For Policy Violation
Detects blocked load events that did not meet the authenticode signing level requirements or violated the code integrity policy.
CodeIntegrity - Blocked Driver Load With Revoked Certificate
Detects blocked load attempts of revoked drivers
CodeIntegrity - Revoked Kernel Driver Loaded
Detects the load of a revoked kernel driver
CodeIntegrity - Blocked Image Load With Revoked Certificate
Detects blocked image load events with revoked certificates by code integrity.
CodeIntegrity - Revoked Image Loaded
Detects image load events with revoked certificates by code integrity.
CodeIntegrity - Unsigned Kernel Module Loaded
Detects the presence of a loaded unsigned kernel module on the system.
CodeIntegrity - Unsigned Image Loaded
Detects loaded unsigned image on the system
CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module
Detects loaded kernel modules that did not meet the WHQL signing requirements.
Loading Diagcab Package From Remote Path
Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability
DNS Query for Anonfiles.com Domain - DNS Client
Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes
Suspicious Cobalt Strike DNS Beaconing - DNS Client
Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
DNS Query To MEGA Hosting Website - DNS Client
Detects DNS queries for subdomains related to MEGA sharing website
DNS Query To Put.io - DNS Client
Detects DNS queries for subdomains related to "Put.io" sharing website.
Query Tor Onion Address - DNS Client
Detects DNS resolution of an .onion address related to Tor routing networks
DNS Query To Ufile.io - DNS Client
Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration
Failed DNS Zone Transfer
Detects when a DNS zone transfer failed.
DNS Server Error Failed Loading the ServerLevelPluginDLL
Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded
USB Device Plugged
Detects plugged/unplugged USB devices
Uncommon New Firewall Rule Added In Windows Firewall Exception List
Detects when a rule has been added to the Windows Firewall exception list
New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application
Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location.
New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE
Detects the addition of a new "Allow" firewall rule by the WMI process (WmiPrvSE.EXE). This can occur if an attacker leverages PowerShell cmdlets such as "New-NetFirewallRule", or directly uses WMI CIM classes such as "MSFT_NetFirewallRule".
All Rules Have Been Deleted From The Windows Firewall Configuration
Detects when a all the rules have been deleted from the Windows Defender Firewall configuration
A Rule Has Been Deleted From The Windows Firewall Exception List
Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall
The Windows Defender Firewall Service Failed To Load Group Policy
Detects activity when The Windows Defender Firewall service failed to load Group Policy
Windows Defender Firewall Has Been Reset To Its Default Configuration
Detects activity when Windows Defender Firewall has been reset to its default configuration