Sigma Rules
1,478 rules found for "execution"
Potential Windows Defender Tampering Via Wmic.EXE
Detects potential tampering with Windows Defender settings such as adding exclusion using wmic
New Process Created Via Wmic.EXE
Detects new process creation using WMIC via the "process call create" flag
Computer System Reconnaissance Via Wmic.EXE
Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model, etc.
Hardware Model Reconnaissance Via Wmic.EXE
Detects the execution of WMIC with the "csproduct" which is used to obtain information such as hardware models and vendor information
Local Groups Reconnaissance Via Wmic.EXE
Detects the execution of "wmic" with the "group" flag. Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
Windows Hotfix Updates Reconnaissance Via Wmic.EXE
Detects the execution of wmic with the "qfe" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts
Process Reconnaissance Via Wmic.EXE
Detects the execution of "wmic" with the "process" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches.
Potential Product Reconnaissance Via Wmic.EXE
Detects the execution of WMIC in order to get a list of firewall and antivirus products
Potential Product Class Reconnaissance Via Wmic.EXE
Detects the execution of WMIC in order to get a list of firewall, antivirus and antispywware products. Adversaries often enumerate security products installed on a system to identify security controls and potential ways to evade detection or disable protection mechanisms. This information helps them plan their next attack steps and choose appropriate techniques to bypass security measures.
Service Reconnaissance Via Wmic.EXE
An adversary might use WMI to check if a certain remote service is running on a remote device. When the test completes, a service information will be displayed on the screen if it exists. A common feedback message is that "No instance(s) Available" if the service queried is not running. A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreachable
Potential Unquoted Service Path Reconnaissance Via Wmic.EXE
Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts
System Disk And Volume Reconnaissance Via Wmic.EXE
An adversary might use WMI to discover information about the system, such as the volume name, size, free space, and other disk information. This can be done using the 'wmic' command-line utility and has been observed being used by threat actors such as Volt Typhoon.
WMIC Remote Command Execution
Detects the execution of WMIC to query information on a remote system
Service Started/Stopped Via Wmic.EXE
Detects usage of wmic to start or stop a service
Potential Remote SquiblyTwo Technique Execution
Detects potential execution of the SquiblyTwo technique that leverages Windows Management Instrumentation (WMI) to execute malicious code remotely. This technique bypasses application whitelisting by using wmic.exe to process malicious XSL (eXtensible Stylesheet Language) scripts that can contain embedded JScript or VBScript. The attack typically works by fetching XSL content from a remote source (using HTTP/HTTPS) and executing it with full trust privileges directly in memory, avoiding disk-based detection mechanisms. This is a common LOLBin (Living Off The Land Binary) technique used for defense evasion and code execution.
Registry Manipulation via WMI Stdregprov
Detects the usage of wmic.exe to manipulate Windows registry via the WMI StdRegProv class. This behaviour could be potentially suspicious because it uses an alternative method to modify registry keys instead of legitimate registry tools like reg.exe or regedit.exe. Attackers specifically choose this technique to evade detection and bypass security monitoring focused on traditional registry modification commands.
Suspicious WMIC Execution Via Office Process
Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).
Suspicious Process Created Via Wmic.EXE
Detects WMIC executing "process call create" with suspicious calls to processes such as "rundll32", "regsrv32", etc.
Application Terminated Via Wmic.EXE
Detects calls to the "terminate" function via wmic in order to kill an application
Application Removed Via Wmic.EXE
Detects the removal or uninstallation of an application via "Wmic.EXE".
XSL Script Execution Via WMIC.EXE
Detects the execution of WMIC with the "format" flag to potentially load local XSL files. Adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files.
WmiPrvSE Spawned A Process
Detects WmiPrvSE spawning a process
Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell
Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI.
Suspicious WmiPrvSE Child Process
Detects suspicious and uncommon child processes of WmiPrvSE
UEFI Persistence Via Wpbbin - ProcessCreation
Detects execution of the binary "wpbbin" which is used as part of the UEFI based persistence method described in the reference section
Potential Dropper Script Execution Via WScript/CScript
Detects wscript/cscript executions of scripts located in user directories
Cscript/Wscript Potentially Suspicious Child Process
Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32. Malware such as Pikabot and Qakbot were seen using similar techniques as well as many others.
Cscript/Wscript Uncommon Script Extension Execution
Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension
WSL Child Process Anomaly
Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL
Installation of WSL Kali-Linux
Detects installation of Kali Linux distribution through Windows Subsystem for Linux (WSL). Attackers may use Kali Linux WSL to leverage its penetration testing tools and capabilities for malicious purposes.
Windows Binary Executed From WSL
Detects the execution of Windows binaries from within a WSL instance. This could be used to masquerade parent-child relationships
Proxy Execution Via Wuauclt.EXE
Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution.
Suspicious Windows Update Agent Empty Cmdline
Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags
Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths
Detects the execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract ".cab" files using the "/extract" argument from potentially suspicious paths.
Wusa.EXE Executed By Parent Process Located In Suspicious Location
Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location. Attackers could instantiate an instance of "wusa.exe" in order to bypass User Account Control (UAC). They can duplicate the access token from "wusa.exe" to gain elevated privileges.
Xwizard.EXE Execution From Non-Default Location
Detects the execution of Xwizard tool from a non-default directory. When executed from a non-default directory, this utility can be abused in order to side load a custom version of "xwizards.dll".
COM Object Execution via Xwizard.EXE
Detects the execution of Xwizard tool with the "RunWizard" flag and a GUID like argument. This utility can be abused in order to run custom COM object created in the registry.
CMSTP Execution Registry Event
Detects various indicators of Microsoft Connection Manager Profile Installer execution
HybridConnectionManager Service Installation - Registry
Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.
Registry Entries For Azorult Malware
Detects the presence of a registry key created during Azorult execution
Potential Credential Dumping Via LSASS SilentProcessExit Technique
Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process
DLL Load via LSASS
Detects a method to load DLL via LSASS process using an undocumented Registry key
Registry Tampering by Potentially Suspicious Processes
Detects suspicious registry modifications made by suspicious processes such as script engine processes such as WScript, or CScript etc. These processes are rarely used for legitimate registry modifications, and their activity may indicate an attempt to modify the registry without using standard tools like regedit.exe or reg.exe, potentially for evasion and persistence.
ClickOnce Trust Prompt Tampering
Detects changes to the ClickOnce trust prompt registry key in order to enable an installation from different locations such as the Internet.
Potential CobaltStrike Service Installations - Registry
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement.
Custom File Open Handler Executes PowerShell
Detects the abuse of custom file open handler, executing powershell
Windows Event Log Access Tampering Via Registry
Detects changes to the Windows EventLog channel permission values. It focuses on changes to the Security Descriptor Definition Language (SDDL) string, as modifications to these values can restrict access to specific users or groups, potentially aiding in defense evasion by controlling who can view or modify a event log channel. Upon execution, the user shouldn't be able to access the event log channel via the event viewer or via utilities such as "Get-EventLog" or "wevtutil".
Add DisallowRun Execution to Registry
Detect set DisallowRun to 1 to prevent user running specific computer program