Sigma Rules
888 rules found for "persistence"
Potential COLDSTEEL Persistence Service DLL Creation
Detects the creation of a file in a specific location and with a specific name related to COLDSTEEL RAT
Potential COLDSTEEL Persistence Service DLL Load
Detects a suspicious DLL load by an "svchost" process based on location and name that might be related to ColdSteel RAT. This DLL location and name has been seen used by ColdSteel as the service DLL for its persistence mechanism
COLDSTEEL RAT Anonymous User Process Execution
Detects the creation of a process executing as user called "ANONYMOUS" seen used by the "MileStone2016" variant of COLDSTEEL
COLDSTEEL RAT Cleanup Command Execution
Detects the creation of a "rundll32" process from the ColdSteel persistence service to initiate the cleanup command by calling one of its own exports. This functionality is not present in "MileStone2017" and some "MileStone2016" samples
COLDSTEEL RAT Service Persistence Execution
Detects the creation of an "svchost" process with specific command line flags, that were seen present and used by ColdSteel RAT
Potential COLDSTEEL RAT Windows User Creation
Detects creation of a new user profile with a specific username, seen being used by some variants of the COLDSTEEL RAT.
COLDSTEEL Persistence Service Creation
Detects the creation of new services potentially related to COLDSTEEL RAT
DarkGate - User Created Via Net.EXE
Detects creation of local users via the net.exe command with the name of "DarkGate"
SNAKE Malware WerFault Persistence File Creation
Detects the creation of a file named "WerFault.exe" in the WinSxS directory by a non-system process, which can be indicative of potential SNAKE malware activity
Potential SNAKE Malware Persistence Service Execution
Detects a specific child/parent process relationship indicative of a "WerFault" process running from the "WinSxS" as a service. This could be indicative of potential SNAKE malware activity as reported by CISA.
SNAKE Malware Covert Store Registry Key
Detects any registry event that targets the key 'SECURITY\Policy\Secrets\n' which is a key related to SNAKE malware as described by CISA
Potential Encrypted Registry Blob Related To SNAKE Malware
Detects the creation of a registry value in the ".wav\OpenWithProgIds" key with an uncommon name. This could be related to SNAKE Malware as reported by CISA
SNAKE Malware Service Persistence
Detects the creation of a service named "WerFaultSvc" which seems to be used by the SNAKE malware as a persistence mechanism as described by CISA in their report
DLL Names Used By SVR For GraphicalProton Backdoor
Hunts known SVR-specific DLL names.
Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor
Hunts for known SVR-specific scheduled task names
Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler
Hunts for known SVR-specific scheduled task names
Diamond Sleet APT DLL Sideloading Indicators
Detects DLL sideloading activity seen used by Diamond Sleet APT
Diamond Sleet APT Scheduled Task Creation
Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability
Lazarus APT DLL Sideloading Activity
Detects sideloading of trojanized DLLs used in Lazarus APT campaign in the case of a Spanish aerospace company
UNC4841 - Email Exfiltration File Pattern
Detects filename pattern of email related data used by UNC4841 for staging and exfiltration
UNC4841 - Barracuda ESG Exploitation Indicators
Detects file indicators as seen used by UNC4841 during their Barracuda ESG zero day exploitation.
CVE-2024-1708 - ScreenConnect Path Traversal Exploitation
This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708.
CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security
This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708. This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.
ScreenConnect User Database Modification
Detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server. This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions.
CVE-2024-1709 - ScreenConnect Authentication Bypass Exploitation
Detects GET requests to '/SetupWizard.aspx/[anythinghere]' that indicate exploitation of the ScreenConnect vulnerability CVE-2024-1709.
Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection
Detects potential exploitation attempts of CVE-2024-3400 - an OS command injection in Palo Alto GlobalProtect. This detection looks for suspicious strings that indicate a potential directory traversal attempt or command injection.
Potential KamiKakaBot Activity - Shutdown Schedule Task Creation
Detects the creation of a schedule task that runs weekly and execute the "shutdown /l /f" command. This behavior was observed being used by KamiKakaBot samples in order to achieve persistence on a system.
Potential KamiKakaBot Activity - Winlogon Shell Persistence
Detects changes to the "Winlogon" registry key where a process will set the value of the "Shell" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.
Kapeka Backdoor Persistence Activity
Detects Kapeka backdoor persistence activity. Depending on the process privileges, the Kapeka dropper then sets persistence for the backdoor either as a scheduled task (if admin or SYSTEM) or autorun registry (if not). For the scheduled task, it creates a scheduled task called "Sens Api" via schtasks command, which is set to run upon system startup as SYSTEM. To establish persistence through the autorun utility, it adds an autorun entry called "Sens Api" under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run via the "reg add" command. Both persistence mechanisms are set to launch the binary by calling rundll32 and passing the backdoor's first export ordinal (#1) without any additional argument.
Kapeka Backdoor Autorun Persistence
Detects the setting of a new value in the Autorun key that is used by the Kapeka backdoor for persistence.
Kapeka Backdoor Configuration Persistence
Detects registry set activity of a value called "Seed" stored in the "\Cryptography\Providers\" registry key. The Kapeka backdoor leverages this location to register a new SIP provider for backdoor configuration persistence.
Kapeka Backdoor Scheduled Task Creation
Detects Kapeka backdoor scheduled task creation based on attributes such as paths, commands line flags, etc.
Potential Raspberry Robin Aclui Dll SideLoading
Detects potential sideloading of malicious "aclui.dll" by OleView.This behavior was observed in Raspberry-Robin variants reported by chekpoint research on Feburary 2024.
Potential Raspberry Robin Registry Set Internet Settings ZoneMap
Detects registry modifications related to the proxy configuration of the system, potentially associated with the Raspberry Robin malware, as seen in campaigns running in Q1 2024. Raspberry Robin may alter proxy settings to circumvent security measures, ensuring unhindered connection with Command and Control servers for maintaining control over compromised systems if there are any proxy settings that are blocking connections.
Forest Blizzard APT - Custom Protocol Handler Creation
Detects the setting of a custom protocol handler with the name "rogue". Seen being created by Forest Blizzard APT as reported by MSFT.
Forest Blizzard APT - Custom Protocol Handler DLL Registry Set
Detects the setting of the DLL that handles the custom protocol handler. Seen being created by Forest Blizzard APT as reported by MSFT.
Potential Exploitation of GoAnywhere MFT Vulnerability
Detects suspicious command execution by child processes of the GoAnywhere Managed File Transfer (MFT) application, which may indicate exploitation such as CVE-2025-10035. This behavior is indicative of post-exploitation activity related to CVE-2025-10035, as observed in campaigns by the threat actor Storm-1175.
Suspicious Process Spawned by CentreStack Portal AppPool
Detects unexpected command shell execution (cmd.exe) from w3wp.exe when tied to CentreStack's portal.config, indicating potential exploitation (e.g., CVE-2025-30406)
Potential SAP NetWeaver Webshell Creation - Linux
Detects the creation of suspicious files (jsp, java, class) in SAP NetWeaver directories, which may indicate exploitation attempts of vulnerabilities such as CVE-2025-31324.
Potential SAP NetWeaver Webshell Creation
Detects the creation of suspicious files (jsp, java, class) in SAP NetWeaver directories, which may indicate exploitation attempts of vulnerabilities such as CVE-2025-31324.
Suspicious Child Process of SAP NetWeaver - Linux
Detects suspicious child processes spawned by SAP NetWeaver on Linux systems that could indicate potential exploitation of vulnerability that allows arbitrary execution via webshells such as CVE-2025-31324.
Suspicious Child Process of SAP NetWeaver
Detects suspicious child processes spawned by SAP NetWeaver that could indicate potential exploitation of vulnerability that allows arbitrary execution via webshells such as CVE-2025-31324.
Potential SAP NetViewer Webshell Command Execution
Detects potential command execution via webshell in SAP NetViewer through JSP files with cmd parameter. This rule is created to detect exploitation of vulnerabilities like CVE-2025-31324, which allows remote code execution via a webshell.
Potential Java WebShell Upload in SAP NetViewer Server
Detects potential Java webshell uploads via HTTP requests with Content-Type 'application/octet-stream' and Java file extensions. This behavior might indicate exploitation of vulnerabilities like CVE-2025-31324, which allows remote code execution through webshells in SAP NetViewer.
Potential Notepad++ CVE-2025-49144 Exploitation
Detects potential exploitation of CVE-2025-49144, a local privilege escalation vulnerability in Notepad++ installers (v8.8.1 and prior) where the installer calls regsvr32.exe without specifying the full path. This allows an attacker to execute arbitrary code with elevated privileges by placing a malicious regsvr32.exe alongside this Legitimate Notepad++ installer. The vulnerability is triggered when the installer attempts to register the NppShell.dll file, which is a component of Notepad++.
Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788)
Detects a qlogin.exe command attempting to authenticate as the internal `_+_PublicSharingUser_` using a GUID as the password. This could be an indicator of an attacker exploiting CVE-2025-57788 to gain initial access using leaked credentials.
Commvault QOperation Path Traversal Webshell Drop (CVE-2025-57790)
Detects the use of qoperation.exe with the -file argument to write a JSP file to the webroot, indicating a webshell drop. This is a post-authentication step corresponding to CVE-2025-57790.
Atomic MacOS Stealer - Persistence Indicators
Detects creation of persistence artifacts placed by Atomic MacOS Stealer in macOS systems. Recent Atomic MacOS Stealer variants have been observed dropping these to maintain persistent access after compromise.