Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

412 rules found for "attack.T1059"

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionmediumtest

Suspicious Browser Child Process - MacOS

Detects suspicious child processes spawned from browsers. This could be a result of a potential web browser exploitation.

macOSProcess Creation
TA0001 · Initial AccessTA0002 · ExecutionT1189 · Drive-by CompromiseT1203 · Exploitation for Client Execution+1
Sohan G (D4rkCiph3r)Wed Apr 05macos
Detectionmediumtest

Suspicious Execution via macOS Script Editor

Detects when the macOS Script Editor utility spawns an unusual child process.

macOSProcess Creation
T1566 · PhishingT1566.002 · Spearphishing LinkTA0001 · Initial AccessT1059 · Command and Scripting Interpreter+7
Tim Rauch+1Fri Oct 21macos
Detectionmediumtest

Potential In-Memory Download And Compile Of Payloads

Detects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware

macOSProcess Creation
TA0011 · Command and ControlTA0002 · ExecutionT1059.007 · JavaScriptT1105 · Ingress Tool Transfer
Sohan G (D4rkCiph3r)+1Tue Aug 22macos
Detectionlowtest

Remote Access Tool - ScreenConnect Command Execution

Detects command execution via ScreenConnect RMM

Windowsapplication
TA0002 · ExecutionT1059.003 · Windows Command Shell
Ali AlwashaliTue Oct 10windows
Detectionlowtest

Remote Access Tool - ScreenConnect File Transfer

Detects file being transferred via ScreenConnect RMM

Windowsapplication
TA0002 · ExecutionT1059.003 · Windows Command Shell
Ali AlwashaliTue Oct 10windows
Detectionmediumtest

AppLocker Prevented Application or Script from Running

Detects when AppLocker prevents the execution of an Application, DLL, Script, MSI, or Packaged-App from running.

Windowsapplocker
TA0002 · ExecutionT1204.002 · Malicious FileT1059.001 · PowerShellT1059.003 · Windows Command Shell+3
Pushkarev DmitrySun Jun 28windows
Detectionhightest

Hacktool Ruler

This events that are generated when using the hacktool Ruler by Sensepost

Windowssecurity
TA0005 · Defense EvasionTA0007 · DiscoveryTA0002 · ExecutionTA0009 · Collection+5
Florian Roth (Nextron Systems)Wed May 31windows
Detectionhightest

Invoke-Obfuscation CLIP+ Launcher - Security

Detects Obfuscated use of Clip.exe to execute PowerShell

Windowssecurity
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Jonathan Cheong+1Tue Oct 13windows
Detectionhightest

Invoke-Obfuscation STDIN+ Launcher - Security

Detects Obfuscated use of stdin to execute PowerShell

Windowssecurity
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Jonathan Cheong+1Thu Oct 15windows
Detectionhightest

Invoke-Obfuscation VAR+ Launcher - Security

Detects Obfuscated use of Environment Variables to execute PowerShell

Windowssecurity
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Jonathan Cheong+1Thu Oct 15windows
Detectionmediumtest

Invoke-Obfuscation COMPRESS OBFUSCATION - Security

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Windowssecurity
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Timur Zinniatullin+1Sun Oct 18windows
Detectionmediumtest

Invoke-Obfuscation RUNDLL LAUNCHER - Security

Detects Obfuscated Powershell via RUNDLL LAUNCHER

Windowssecurity
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Timur Zinniatullin+1Sun Oct 18windows
Detectionhightest

Invoke-Obfuscation Via Stdin - Security

Detects Obfuscated Powershell via Stdin in Scripts

Windowssecurity
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Mon Oct 12windows
Detectionhightest

Invoke-Obfuscation Via Use Clip - Security

Detects Obfuscated Powershell via use Clip.exe in Scripts

Windowssecurity
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Fri Oct 09windows
Detectionhightest

Invoke-Obfuscation Via Use MSHTA - Security

Detects Obfuscated Powershell via use MSHTA in Scripts

Windowssecurity
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Fri Oct 09windows
Detectionhightest

Invoke-Obfuscation Via Use Rundll32 - Security

Detects Obfuscated Powershell via use Rundll32 in Scripts

Windowssecurity
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Fri Oct 09windows
Detectionhightest

Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security

Detects Obfuscated Powershell via VAR++ LAUNCHER

Windowssecurity
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Timur Zinniatullin+1Tue Oct 13windows
Detectionhightest

Remote PowerShell Sessions Network Connections (WinRM)

Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986

Windowssecurity
TA0002 · ExecutionT1059.001 · PowerShell
Roberto Rodriguez (Cyb3rWard0g)Thu Sep 12windows
Detectionhightest

Invoke-Obfuscation CLIP+ Launcher - System

Detects Obfuscated use of Clip.exe to execute PowerShell

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Jonathan Cheong+1Tue Oct 13windows
Detectionhightest

Invoke-Obfuscation STDIN+ Launcher - System

Detects Obfuscated use of stdin to execute PowerShell

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Jonathan Cheong+1Thu Oct 15windows
Detectionhightest

Invoke-Obfuscation VAR+ Launcher - System

Detects Obfuscated use of Environment Variables to execute PowerShell

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Jonathan Cheong+1Thu Oct 15windows
Detectionmediumtest

Invoke-Obfuscation COMPRESS OBFUSCATION - System

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Timur Zinniatullin+1Sun Oct 18windows
Detectionmediumtest

Invoke-Obfuscation RUNDLL LAUNCHER - System

Detects Obfuscated Powershell via RUNDLL LAUNCHER

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Timur Zinniatullin+1Sun Oct 18windows
Detectionhightest

Invoke-Obfuscation Via Stdin - System

Detects Obfuscated Powershell via Stdin in Scripts

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Mon Oct 12windows
Detectionhightest

Invoke-Obfuscation Via Use Clip - System

Detects Obfuscated Powershell via use Clip.exe in Scripts

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Fri Oct 09windows
Detectionhightest

Invoke-Obfuscation Via Use MSHTA - System

Detects Obfuscated Powershell via use MSHTA in Scripts

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Fri Oct 09windows
Detectionhightest

Invoke-Obfuscation Via Use Rundll32 - System

Detects Obfuscated Powershell via use Rundll32 in Scripts

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Fri Oct 09windows
Detectionhightest

Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System

Detects Obfuscated Powershell via VAR++ LAUNCHER

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Timur Zinniatullin+1Tue Oct 13windows
Detectionhighstable

Windows Defender AMSI Trigger Detected

Detects triggering of AMSI by Windows Defender.

Windowswindefend
TA0002 · ExecutionT1059 · Command and Scripting Interpreter
Bhabesh RajMon Sep 14windows
Detectionhighstable

Windows Defender Threat Detected

Detects actions taken by Windows Defender malware detection engines

Windowswindefend
TA0002 · ExecutionT1059 · Command and Scripting Interpreter
Ján TrenčanskýTue Jul 28windows
Detectionhightest

HackTool - CACTUSTORCH Remote Thread Creation

Detects remote thread creation from CACTUSTORCH as described in references.

WindowsRemote Thread Creation
TA0004 · Privilege EscalationTA0005 · Defense EvasionTA0002 · ExecutionT1055.012 · Process Hollowing+3
Thomas PatzkeFri Feb 01windows
Detectionmediumtest

Remote Thread Creation Via PowerShell In Uncommon Target

Detects the creation of a remote thread from a Powershell process in an uncommon target process

WindowsRemote Thread Creation
TA0005 · Defense EvasionTA0002 · ExecutionT1218.011 · Rundll32T1059.001 · PowerShell
Florian Roth (Nextron Systems)Mon Jun 25windows
Detectionhighexperimental

DNS Query by Finger Utility

Detects DNS queries made by the finger utility, which can be abused by threat actors to retrieve remote commands for execution on Windows devices. In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server. Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion. Investigating such DNS queries can also help identify potential malicious infrastructure used by threat actors for command and control (C2) communication.

WindowsDNS Query
TA0011 · Command and ControlT1071.004 · DNSTA0002 · ExecutionT1059.003 · Windows Command Shell
Swachchhanda Shrawan Poudel (Nextron Systems)Wed Nov 19windows
Detectionhightest

BloodHound Collection Files

Detects default file names outputted by the BloodHound collection tool SharpHound

WindowsFile Event
TA0007 · DiscoveryT1087.001 · Local AccountT1087.002 · Domain AccountT1482 · Domain Trust Discovery+4
C.J. MayTue Aug 09windows
Detectionlowexperimental

Suspicious Deno File Written from Remote Source

Detects Deno writing a file from a direct HTTP(s) call and writing to the appdata folder or bringing it's own malicious DLL. This behavior may indicate an attempt to execute remotely hosted, potentially malicious files through deno.

WindowsFile Event
TA0002 · ExecutionT1204 · User ExecutionT1059.007 · JavaScriptTA0011 · Command and Control+1
Josh Nickels+1Thu May 22windows
Detectionhightest

WScript or CScript Dropper - File

Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe

WindowsFile Event
TA0002 · ExecutionT1059.005 · Visual BasicT1059.007 · JavaScript
Tim SheltonMon Jan 10windows
Detectionhightest

Adwind RAT / JRAT File Artifact

Detects javaw.exe in AppData folder as used by Adwind / JRAT

WindowsFile Event
TA0002 · ExecutionT1059.005 · Visual BasicT1059.007 · JavaScript
Florian Roth (Nextron Systems)+3Fri Nov 10windows
Detectionhightest

PCRE.NET Package Temp Files

Detects processes creating temp files related to PCRE.NET package

WindowsFile Event
TA0002 · ExecutionT1059 · Command and Scripting Interpreter
Roberto Rodriguez (Cyb3rWard0g)+1Thu Oct 29windows
Detectionmediumtest

Suspicious File Created In PerfLogs

Detects suspicious file based on their extension being created in "C:\PerfLogs\". Note that this directory mostly contains ".etl" files

WindowsFile Event
TA0002 · ExecutionT1059 · Command and Scripting Interpreter
Nasreddine Bencherchali (Nextron Systems)Fri May 05windows
Detectionhightest

Malicious PowerShell Scripts - FileCreation

Detects the creation of known offensive powershell scripts used for exploitation

WindowsFile Event
TA0002 · ExecutionT1059.001 · PowerShell
Markus Neis+3Sat Apr 07windows
Detectionlowtest

Remote Access Tool - ScreenConnect Temporary File

Detects the creation of files in a specific location by ScreenConnect RMM. ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to ":\Users\<username>\Documents\ConnectWiseControl\Temp\" before execution.

WindowsFile Event
TA0002 · ExecutionT1059.003 · Windows Command Shell
Ali AlwashaliTue Oct 10windows
Detectionhightest

Windows Shell/Scripting Application File Write to Suspicious Folder

Detects Windows shells and scripting applications that write files to suspicious folders

WindowsFile Event
TA0002 · ExecutionT1059 · Command and Scripting Interpreter
Florian Roth (Nextron Systems)Sat Nov 20windows
Detectionhightest

Suspicious Interactive PowerShell as SYSTEM

Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context

WindowsFile Event
TA0002 · ExecutionT1059.001 · PowerShell
Florian Roth (Nextron Systems)Tue Dec 07windows
Detectionmediumexperimental

Clfs.SYS Loaded By Process Located In a Potential Suspicious Location

Detects Clfs.sys being loaded by a process running from a potentially suspicious location. Clfs.sys is loaded as part of many CVEs exploits that targets Common Log File.

WindowsImage Load (DLL)
TA0002 · ExecutionT1059 · Command and Scripting Interpreter
X__JuniorMon Jan 20windows
Detectionhightest

PCRE.NET Package Image Load

Detects processes loading modules related to PCRE.NET package

WindowsImage Load (DLL)
TA0002 · ExecutionT1059 · Command and Scripting Interpreter
Roberto Rodriguez (Cyb3rWard0g)+1Thu Oct 29windows
Detectionmediumtest

PowerShell Core DLL Loaded By Non PowerShell Process

Detects loading of essential DLLs used by PowerShell by non-PowerShell process. Detects behavior similar to meterpreter's "load powershell" extension.

WindowsImage Load (DLL)
T1059.001 · PowerShellTA0002 · Execution
Tom Kern+5Thu Nov 14windows
Detectionhightest

Abusable DLL Potential Sideloading From Suspicious Location

Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations

WindowsImage Load (DLL)
TA0002 · ExecutionT1059 · Command and Scripting Interpreter
X__Junior (Nextron Systems)Tue Jul 11windows
Detectionmediumexperimental

MMC Loading Script Engines DLLs

Detects when the Microsoft Management Console (MMC) loads the DLL libraries like vbscript, jscript etc which might indicate an attempt to execute malicious scripts within a trusted system process for bypassing application whitelisting or defense evasion.

WindowsImage Load (DLL)
TA0002 · ExecutionTA0005 · Defense EvasionT1059.005 · Visual BasicT1218.014 · MMC
Swachchhanda Shrawan Poudel (Nextron Systems)Wed Feb 05windows
1239