Sigma Rules
1,585 rules found for "defense-evasion"
UAC Bypass Tools Using ComputerDefaults
Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)
UAC Bypass Using Consent and Comctl32 - Process
Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
UAC Bypass Using DismHost
Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)
UAC Bypass Using Event Viewer RecentViews
Detects the pattern of UAC Bypass using Event Viewer RecentViews
Bypass UAC via Fodhelper.exe
Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.
UAC Bypass via Windows Firewall Snap-In Hijack
Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in
UAC Bypass via ICMLuaUtil
Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface
UAC Bypass Using IDiagnostic Profile
Detects the "IDiagnosticProfileUAC" UAC bypass technique
UAC Bypass Using IEInstal - Process
Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
UAC Bypass Using MSConfig Token Modification - Process
Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
UAC Bypass Using NTFS Reparse Point - Process
Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
UAC Bypass Using PkgMgr and DISM
Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)
Potential UAC Bypass Via Sdclt.EXE
A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.
TrustedPath UAC Bypass Pattern
Detects indicators of a UAC bypass method by mocking directories
UAC Bypass Abusing Winsat Path Parsing - Process
Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
UAC Bypass Using Windows Media Player - Process
Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
Bypass UAC via WSReset.exe
Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.
UAC Bypass WSReset
Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config
Uninstall Crowdstrike Falcon Sensor
Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon
User Shell Folders Registry Modification via CommandLine
Detects modifications to User Shell Folders registry values via reg.exe or PowerShell, which could indicate persistence attempts. Attackers may modify User Shell Folders registry values to point to malicious executables or scripts that will be executed during startup. This technique is often used to maintain persistence on a compromised system by ensuring that malicious payloads are executed automatically.
Registry Modification Attempt Via VBScript
Detects attempts to modify the registry using VBScript's CreateObject("Wscript.shell") and RegWrite methods via common LOLBINs. It could be an attempt to modify the registry for persistence without using straightforward methods like regedit.exe, reg.exe, or PowerShell. Threat Actors may use this technique to evade detection by security solutions that monitor for direct registry modifications through traditional tools.
Verclsid.exe Runs COM Object
Detects when verclsid.exe is used to run COM object via GUID
Virtualbox Driver Installation or Starting of VMs
Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.
Suspicious VBoxDrvInst.exe Parameters
Detect VBoxDrvInst.exe run with parameters allowing processing INF file. This allows to create values in the registry and install drivers. For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys
Potentially Suspicious Child Process Of VsCode
Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.
Potential Binary Proxy Execution Via VSDiagnostics.EXE
Detects execution of "VSDiagnostics.exe" with the "start" command in order to launch and proxy arbitrary binaries.
Proxy Execution via Vshadow
Detects the invocation of vshadow.exe with the -exec parameter that executes a specified script or command after the shadow copies are created but before the VShadow tool exits. VShadow is a command-line tool that you can use to create and manage volume shadow copies. While legitimate backup or administrative scripts may use this flag, attackers can leverage this parameter to proxy the execution of malware.
Suspicious Vsls-Agent Command With AgentExtensionPath Load
Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter
Vulnerable Driver Blocklist Registry Tampering Via CommandLine
Detects tampering of the Vulnerable Driver Blocklist registry via command line tools such as PowerShell or REG.EXE. The Vulnerable Driver Blocklist is a security feature that helps prevent the loading of known vulnerable drivers. Disabling this feature may indicate an attempt to bypass security controls, often targeted by threat actors to facilitate the installation of malicious or vulnerable drivers, particularly in scenarios involving Endpoint Detection and Response
Wab Execution From Non Default Location
Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity
Wab/Wabmig Unusual Parent Or Child Processes
Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity
Potential ReflectDebugger Content Execution Via WerFault.EXE
Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow
PPL Tampering Via WerFaultSecure
Detects potential abuse of WerFaultSecure.exe to dump Protected Process Light (PPL) processes like LSASS or to freeze security solutions (EDR/antivirus). This technique is used by tools such as EDR-Freeze and WSASS to bypass PPL protections and access sensitive information or disable security software. Distinct command line patterns help identify the specific tool: - WSASS usage typically shows: "WSASS.exe WerFaultSecure.exe [PID]" in ParentCommandLine - EDR-Freeze usage typically shows: "EDR-Freeze_[version].exe [PID] [timeout]" in ParentCommandLine Legitimate debugging operations using WerFaultSecure are rare in production environments and should be investigated.
Suspicious Child Process Of Wermgr.EXE
Detects suspicious Windows Error Reporting manager (wermgr.exe) child process
Add New Download Source To Winget
Detects usage of winget to add new additional download sources
Add Insecure Download Source To Winget
Detects usage of winget to add a new insecure (http) download source. Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)
Add Potential Suspicious New Download Source To Winget
Detects usage of winget to add new potentially suspicious download sources
Install New Package Via Winget Local Manifest
Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe, msi or msix files later.
AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl
Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)
Remote Code Execute via Winrm.vbs
Detects an attempt to execute code or create service on remote host via winrm.vbs.
Winrs Local Command Execution
Detects the execution of Winrs.exe where it is used to execute commands locally. Commands executed this way are launched under Winrshost.exe and can represent proxy execution used for defense evasion or lateral movement.
Wlrmdr.EXE Uncommon Argument Or Child Process
Detects the execution of "Wlrmdr.exe" with the "-u" command line flag which allows anything passed to it to be an argument of the ShellExecute API, which would allow an attacker to execute arbitrary binaries. This detection also focuses on any uncommon child processes spawned from "Wlrmdr.exe" as a supplement for those that posses "ParentImage" telemetry.
Potential Windows Defender Tampering Via Wmic.EXE
Detects potential tampering with Windows Defender settings such as adding exclusion using wmic
Potential Remote SquiblyTwo Technique Execution
Detects potential execution of the SquiblyTwo technique that leverages Windows Management Instrumentation (WMI) to execute malicious code remotely. This technique bypasses application whitelisting by using wmic.exe to process malicious XSL (eXtensible Stylesheet Language) scripts that can contain embedded JScript or VBScript. The attack typically works by fetching XSL content from a remote source (using HTTP/HTTPS) and executing it with full trust privileges directly in memory, avoiding disk-based detection mechanisms. This is a common LOLBin (Living Off The Land Binary) technique used for defense evasion and code execution.
Registry Manipulation via WMI Stdregprov
Detects the usage of wmic.exe to manipulate Windows registry via the WMI StdRegProv class. This behaviour could be potentially suspicious because it uses an alternative method to modify registry keys instead of legitimate registry tools like reg.exe or regedit.exe. Attackers specifically choose this technique to evade detection and bypass security monitoring focused on traditional registry modification commands.
Suspicious WMIC Execution Via Office Process
Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).
Potential Tampering With Security Products Via WMIC
Detects uninstallation or termination of security products using the WMIC utility
XSL Script Execution Via WMIC.EXE
Detects the execution of WMIC with the "format" flag to potentially load local XSL files. Adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files.