Sigma Rules
1,478 rules found for "execution"
OilRig APT Activity
Detects OilRig activity as reported by Nyotron in their March 2018 report
OilRig APT Registry Persistence
Detects OilRig registry persistence as reported by Nyotron in their March 2018 report
OilRig APT Schedule Task Persistence - Security
Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report
OilRig APT Schedule Task Persistence - System
Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report
Defrag Deactivation
Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group
Defrag Deactivation - Security
Detects the deactivation and disabling of the Scheduled defragmentation task as seen by Slingshot APT group
TropicTrooper Campaign November 2018
Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia
Potential BearLPE Exploitation
Detects potential exploitation of the BearLPE exploit using Task Scheduler ".job" import arbitrary DACL write\par
Exploiting SetupComplete.cmd CVE-2019-1378
Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378
Potential Baby Shark Malware Activity
Detects activity that could be related to Baby Shark malware
Potential Emotet Activity
Detects all Emotet like process executions that are not covered by the more generic rules
Formbook Process Creation
Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.
Potential QBot Activity
Detects potential QBot activity by looking for process executions used previously by QBot
Potential Snatch Ransomware Activity
Detects specific process characteristics of Snatch ransomware word document droppers
Ursnif Malware C2 URL Pattern
Detects Ursnif C2 traffic.
Potential Ursnif Malware Activity - Registry
Detects registry keys related to Ursnif malware.
Operation Wocao Activity
Detects activity mentioned in Operation Wocao report
Operation Wocao Activity - Security
Detects activity mentioned in Operation Wocao report
CVE-2020-0688 Exchange Exploitation via Web Log
Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
CVE-2020-0688 Exploitation via Eventlog
Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
Exploited CVE-2020-10189 Zoho ManageEngine
Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189
Suspicious PrinterPorts Creation (CVE-2020-1048)
Detects new commands that add new printer port which point to suspicious file
CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry
Detects changes to the "Ports" registry key with data that includes a Windows path or a file with a suspicious extension. This could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.
DNS RCE CVE-2020-1350
Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process
Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC
Detects the execution of the commonly used ZeroLogon PoC executable.
CVE-2020-5902 F5 BIG-IP Exploitation Attempt
Detects the exploitation attempt of the vulnerability found in F5 BIG-IP and described in CVE-2020-5902
Blue Mockingbird
Attempts to detect system changes made by Blue Mockingbird
Blue Mockingbird - Registry
Attempts to detect system changes made by Blue Mockingbird
Potential Emotet Rundll32 Execution
Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL
Potential Maze Ransomware Activity
Detects specific process characteristics of Maze ransomware word document droppers
Trickbot Malware Activity
Detects Trickbot malware process tree pattern in which "rundll32.exe" is a parent of "wermgr.exe"
Greenbug Espionage Group Indicators
Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec
Lazarus Group Activity
Detects different process execution behaviors as described in various threat reports on Lazarus group activity
UNC2452 Process Creation Patterns
Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries
UNC2452 PowerShell Pattern
Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports
TAIDOOR RAT DLL Load
Detects specific process characteristics of Chinese TAIDOOR RAT malware load
Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection
Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .
CVE-2021-1675 Print Spooler Exploitation Filename Pattern
Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675
PrinterNightmare Mimikatz Driver Name
Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527
Possible CVE-2021-1675 Print Spooler Exploitation
Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675
CVE-2021-1675 Print Spooler Exploitation
Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675
CVE-2021-1675 Print Spooler Exploitation IPC Access
Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527
Possible PrintNightmare Print Driver Install - CVE-2021-1675
Detects the remote installation of a print driver which is possible indication of the exploitation of PrintNightmare (CVE-2021-1675). The occurrence of print drivers being installed remotely via RPC functions should be rare, as print drivers are normally installed locally and or through group policy.
CVE-2021-21972 VSphere Exploitation
Detects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972
Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt
Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084
Potential CVE-2021-26857 Exploitation Attempt
Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server's Unified Messaging service
CVE-2021-26858 Exchange Exploitation
Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for creation of non-standard files on disk by Exchange Server’s Unified Messaging service which could indicate dropping web shells or other malicious content
CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum
Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum