Sigma Rules
1,478 rules found for "execution"
FileFix - Command Evidence in TypedPaths
Detects commonly-used chained commands and strings in the most recent 'url' value of the 'TypedPaths' key, which could be indicative of a user being targeted by the FileFix technique.
NET NGenAssemblyUsageLog Registry Key Tamper
Detects changes to the NGenAssemblyUsageLog registry key. .NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section). By simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.
New Application in AppCompat
A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.
Python Function Execution Security Warning Disabled In Excel - Registry
Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed. Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.
Enable Microsoft Dynamic Data Exchange
Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.
Outlook Macro Execution Without Warning Setting Enabled
Detects the modification of Outlook security setting to allow unprompted execution of macros.
Office Macros Warning Disabled
Detects registry changes to Microsoft Office "VBAWarning" to a value of "1" which enables the execution of all macros, whether signed or unsigned.
Potential Persistence Via GlobalFlags
Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys
Potential Persistence Via Outlook Home Page
Detects potential persistence activity via outlook home page. An attacker can set a home page to achieve code execution and persistence by editing the WebView registry keys.
Potential ClickFix Execution Pattern - Registry
Detects potential ClickFix malware execution patterns by monitoring registry modifications in RunMRU keys containing HTTP/HTTPS links. ClickFix is known to be distributed through phishing campaigns and uses techniques like clipboard hijacking and fake CAPTCHA pages. Through the fakecaptcha pages, the adversary tricks users into opening the Run dialog box and pasting clipboard-hijacked content, such as one-liners that execute remotely hosted malicious files or scripts.
PowerShell as a Service in Registry
Detects that a powershell code is written to the registry as a service.
PowerShell Script Execution Policy Enabled
Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed.
Potential PowerShell Execution Policy Tampering
Detects changes to the PowerShell execution policy in order to bypass signing requirements for script execution
PowerShell Logging Disabled Via Registry Key Tampering
Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging
Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG
Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe".
PUA - Sysinternal Tool Execution - Registry
Detects the execution of a Sysinternals Tool via the creation of the "accepteula" registry key
Suspicious Execution Of Renamed Sysinternals Tools - Registry
Detects the creation of the "accepteula" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)
PUA - Sysinternals Tools Execution - Registry
Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the "accepteula" registry key.
Usage of Renamed Sysinternals Tools - RegistrySet
Detects non-sysinternals tools setting the "accepteula" key which normally is set on sysinternals tool execution
Potentially Suspicious Command Executed Via Run Dialog Box - Registry
Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key. This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.
ScreenSaver Registry Key Set
Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl
Suspicious Space Characters in RunMRU Registry Path - ClickFix
Detects the occurrence of numerous space characters in RunMRU registry paths, which may indicate execution via phishing lures using clickfix techniques to hide malicious commands in the Windows Run dialog box from naked eyes.
Suspicious Space Characters in TypedPaths Registry Path - FileFix
Detects the occurrence of numerous space characters in TypedPaths registry paths, which may indicate execution via phishing lures using file-fix techniques to hide malicious commands.
WFP Filter Added via Registry
Detects registry modifications that add Windows Filtering Platform (WFP) filters, which may be used to block security tools and EDR agents from reporting events.
Scheduled TaskCache Change by Uncommon Program
Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious
Potential Registry Persistence Attempt Via Windows Telemetry
Detects potential persistence behavior using the windows telemetry registry key. Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type.
Execution DLL of Choice Using WAB.EXE
This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.
Suspicious Encoded Scripts in a WMI Consumer
Detects suspicious encoded payloads in WMI Event Consumers
Suspicious Scripting in a WMI Consumer
Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers
Rejetto HTTP File Server RCE
Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287
ZxShell Malware
Detects a ZxShell start by the called and well-known function name
Turla Group Lateral Movement
Detects automated lateral movement by Turla group
Turla Group Commands May 2020
Detects commands used by Turla group as reported by ESET in May 2020
Exploit for CVE-2017-0261
Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262
Droppers Exploiting CVE-2017-11882
Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe
Exploit for CVE-2017-8759
Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759
Adwind RAT / JRAT
Detects javaw.exe in AppData folder as used by Adwind / JRAT
CosmicDuke Service Installation
Detects the installation of a service named "javamtsup" on the system. The CosmicDuke info stealer uses Windows services typically named "javamtsup" for persistence.
Fireball Archer Install
Detects Archer malware invocation via rundll32
Potential PlugX Activity
Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location
Potential APT10 Cloud Hopper Activity
Detects potential process and execution activity related to APT10 Cloud Hopper operation
Ps.exe Renamed SysInternals Tool
Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report
Turla Group Named Pipes
Detects a named pipe used by Turla group samples
Elise Backdoor Activity
Detects Elise backdoor activity used by APT32
APT27 - Emissary Panda Activity
Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27
Sofacy Trojan Loader Activity
Detects Trojan loader activity as used by APT28
APT29 2018 Phishing Campaign CommandLine Indicators
Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant
Potential MuddyWater APT Activity
Detects potential Muddywater APT activity