Sigma Rules
3,116 rules found
Remote Thread Creation In Mstsc.Exe From Suspicious Location
Detects remote thread creation in the "mstsc.exe" process by a process located in a potentially suspicious location. This technique is often used by attackers in order to hook some APIs used by DLLs loaded by "mstsc.exe" during RDP authentications in order to steal credentials.
Potential Credential Dumping Attempt Via PowerShell Remote Thread
Detects remote thread creation by PowerShell processes into "lsass.exe"
Remote Thread Creation Via PowerShell In Uncommon Target
Detects the creation of a remote thread from a Powershell process in an uncommon target process
Password Dumper Remote Thread in LSASS
Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.
Rare Remote Thread Creation By Uncommon Source Image
Detects uncommon processes creating remote threads.
Remote Thread Creation By Uncommon Source Image
Detects uncommon processes creating remote threads.
Remote Thread Creation In Uncommon Target Image
Detects uncommon target processes for remote thread creation
Remote Thread Creation Ttdinject.exe Proxy
Detects a remote thread creation of Ttdinject.exe used as proxy
Hidden Executable In NTFS Alternate Data Stream
Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash
Creation Of a Suspicious ADS File Outside a Browser Download
Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers
Suspicious File Download From File Sharing Websites - File Stream
Detects the download of suspicious file type from a well-known file and paste sharing domain
Unusual File Download From File Sharing Websites - File Stream
Detects the download of suspicious file type from a well-known file and paste sharing domain
HackTool Named File Stream Created
Detects the creation of a named file stream with the imphash of a well-known hack tool
Exports Registry Key To an Alternate Data Stream
Exports the target Registry key and hides it in the specified alternate data stream.
Unusual File Download from Direct IP Address
Detects the download of suspicious file type from URLs with IP
Potential Suspicious Winget Package Installation
Detects potential suspicious winget package installation from a suspicious source.
Potentially Suspicious File Download From ZIP TLD
Detects the download of a file with a potentially suspicious extension from a .zip top level domain.
DNS Query for Anonfiles.com Domain - Sysmon
Detects DNS queries for "anonfiles.com", which is an anonymous file upload platform often used for malicious purposes
AppX Package Installation Attempts Via AppInstaller.EXE
Detects DNS queries made by "AppInstaller.EXE". The AppInstaller is the default handler for the "ms-appinstaller" URI. It attempts to load/install a package from the referenced URL
Cloudflared Tunnels Related DNS Requests
Detects DNS requests to Cloudflared tunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
DNS Query To Common Malware Hosting and Shortener Services
Detects DNS queries to domains commonly used by threat actors to host malware payloads or redirect through URL shorteners. These include platforms like Cloudflare Workers, TryCloudflare, InfinityFree, and URL shorteners such as tinyurl and lihi.cc. Such DNS activity can indicate potential delivery or command-and-control communication attempts.
DNS Query To Devtunnels Domain
Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
DNS Server Discovery Via LDAP Query
Detects DNS server discovery via LDAP query requests from uncommon applications
DNS Query To AzureWebsites.NET By Non-Browser Process
Detects a DNS query by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.
DNS Query by Finger Utility
Detects DNS queries made by the finger utility, which can be abused by threat actors to retrieve remote commands for execution on Windows devices. In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server. Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion. Investigating such DNS queries can also help identify potential malicious infrastructure used by threat actors for command and control (C2) communication.
Notepad++ Updater DNS Query to Uncommon Domains
Detects when the Notepad++ updater (gup.exe) makes DNS queries to domains that are not part of the known legitimate update infrastructure. This could indicate potential exploitation of the updater mechanism or suspicious network activity that warrants further investigation.
DNS HybridConnectionManager Service Bus
Detects Azure Hybrid Connection Manager services querying the Azure service bus service
Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing
Detects DNS queries containing patterns associated with Kerberos coercion attacks via DNS object spoofing. The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure. Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts. It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.
Suspicious Cobalt Strike DNS Beaconing - Sysmon
Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
DNS Query To MEGA Hosting Website
Detects DNS queries for subdomains related to MEGA sharing website
DNS Query Request To OneLaunch Update Service
Detects DNS query requests to "update.onelaunch.com". This domain is associated with the OneLaunch adware application. When the OneLaunch application is installed it will attempt to get updates from this domain.
DNS Query Request By QuickAssist.EXE
Detects DNS queries initiated by "QuickAssist.exe" to Microsoft Quick Assist primary endpoint that is used to establish a session.
DNS Query Request By Regsvr32.EXE
Detects DNS queries initiated by "Regsvr32.exe"
DNS Query To Remote Access Software Domain From Non-Browser App
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
Suspicious DNS Query for IP Lookup Service APIs
Detects DNS queries for IP lookup services such as "api.ipify.org" originating from a non browser process.
TeamViewer Domain Query By Non-TeamViewer Application
Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)
DNS Query Tor .Onion Address - Sysmon
Detects DNS queries to an ".onion" address related to Tor routing networks
DNS Query To Ufile.io
Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration
DNS Query To Visual Studio Code Tunnels Domain
Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
Malicious Driver Load
Detects loading of known malicious drivers via their hash.
Malicious Driver Load By Name
Detects loading of known malicious drivers via the file name of the drivers.
PUA - Process Hacker Driver Load
Detects driver load of the Process Hacker tool
PUA - System Informer Driver Load
Detects driver load of the System Informer tool
Driver Load From A Temporary Directory
Detects a driver load from a temporary directory
Vulnerable Driver Load
Detects loading of known vulnerable drivers via their hash.
Vulnerable Driver Load By Name
Detects the load of known vulnerable drivers via the file name of the drivers.
Vulnerable HackSys Extreme Vulnerable Driver Load
Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors
Vulnerable WinRing0 Driver Load
Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation