Sigma Rules
143 rules found for "collection"
Exchange PowerShell Snap-Ins Usage
Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27
Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet
Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
Screen Capture Activity Via Psr.EXE
Detects execution of Windows Problem Steps Recorder (psr.exe), a utility used to record the user screen and clicks.
PUA - Mouse Lock Execution
In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.
Rar Usage with Password and Compression Level
Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.
Files Added To An Archive Using Rar.EXE
Detects usage of "rar" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
Windows Recall Feature Enabled Via Reg.EXE
Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" value, or setting it to 0. Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
Renamed Remote Utilities RAT (RURAT) Execution
Detects execution of renamed Remote Utilities (RURAT) via Product PE header field
Potential Suspicious Activity Using SeCEdit
Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
Audio Capture via SoundRecorder
Detect attacker collecting audio via SoundRecorder application.
Veeam Backup Database Suspicious Query
Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information.
VeeamBackup Database Credentials Dump Via Sqlcmd.EXE
Detects dump of credentials in VeeamBackup dbo
SQLite Chromium Profile Data DB Access
Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing.
SQLite Firefox Profile Data DB Access
Detect usage of the "sqlite" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.
Automated Collection Command Prompt
Once established within a system or network, an adversary may use automated techniques for collecting internal data.
Copy From Or To Admin Share Or Sysvol Folder
Detects a copy command or a copy utility execution to or from an Admin share or remote
Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI
Detects command line containing reference to the "::$index_allocation" stream, which can be used as a technique to prevent access to folders or files from tooling such as "explorer.exe" or "powershell.exe"
Recon Information for Export with Command Prompt
Once established within a system or network, an adversary may use automated techniques for collecting internal data.
Script Interpreter Spawning Credential Scanner - Windows
Detects a script interpreter process (like node.js or bun) spawning a known credential scanning tool (e.g., trufflehog, gitleaks). This behavior is indicative of an attempt to find and steal secrets, as seen in the "Shai-Hulud: The Second Coming" campaign.
Compressed File Creation Via Tar.EXE
Detects execution of "tar.exe" in order to create a compressed file. Adversaries may abuse various utilities to compress or encrypt data before exfiltration.
Compressed File Extraction Via Tar.EXE
Detects execution of "tar.exe" in order to extract compressed file. Adversaries may abuse various utilities in order to decompress data to avoid detection.
Winrar Compressing Dump Files
Detects execution of WinRAR in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.
WinRAR Execution in Non-Standard Folder
Detects a suspicious WinRAR execution in a folder which is not the default installation folder
Compress Data and Lock With Password for Exfiltration With WINZIP
An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted
Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" registry value. Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
Suspicious Camera and Microphone Access
Detects Processes accessing the camera and microphone from suspicious folder
Periodic Backup For System Registry Hives Enabled
Detects the enabling of the "EnablePeriodicBackup" registry value. Once enabled, The OS will backup System registry hives on restarts to the "C:\Windows\System32\config\RegBack" folder. Windows creates a "RegIdleBackup" task to manage subsequent backups. Registry backup was a default behavior on Windows and was disabled as of "Windows 10, version 1803".
Windows Recall Feature Enabled - Registry
Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by setting the value of "DisableAIDataAnalysis" to "0". Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
Potential EventLog File Location Tampering
Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting
Potential Registry Persistence Attempt Via Windows Telemetry
Detects potential persistence behavior using the windows telemetry registry key. Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type.
WannaCry Ransomware Activity
Detects WannaCry ransomware activity
APT31 Judgement Panda Activity
Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report
Conti NTDS Exfiltration Command
Detects a command used by conti to exfiltrate NTDS
Potential Conti Ransomware Database Dumping Activity Via SQLCmd
Detects a command used by conti to dump database
Potential Pikabot Discovery Activity
Detects system discovery activity carried out by Pikabot, such as incl. network, user info and domain groups. The malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute).
Shai-Hulud Malicious GitHub Workflow Creation
Detects creation of shai-hulud-workflow.yml file associated with Shai Hulud worm targeting NPM supply chain attack that exfiltrates GitHub secrets
Shai-Hulud NPM Package Malicious Exfiltration via Curl
Detects potential Shai Hulud NPM package attack attempting to exfiltrate data via curl to external webhook sites.
LiteLLM / TeamPCP Supply Chain Attack Indicators
Detects process executions related to the backdoored versions of LiteLLM (v1.82.7 or v1.82.8). In March 2026, a supply chain attack was discovered involving the popular open-source LLM framework LiteLLM by Threat Actor TeamPCP. The malicious package harvests every credential on the system, encrypts and exfiltrates them, and installs a persistent C2 backdoor.
Mail Forwarding/Redirecting Activity In O365
Detects email forwarding or redirecting activity in O365 Audit logs.
Inbox Rules Creation Or Update Activity in O365
Detects inbox rule creation or update via O365 Audit logs, a technique commonly observed in Business Email Compromise (BEC) attacks to hide emails. The usage of inbox rules can be a sign of a compromised mailbox, where an attacker is attempting to evade detections by suppressing or redirecting incoming emails. Analysts should review these rules in context, validate whether they reflect normal user behavior, and correlate with other indicators such as unusual login activity or recent mailbox rule modifications.
Clipboard Data Collection Via Pbpaste
Detects execution of the "pbpaste" utility, which retrieves the contents of the clipboard (a.k.a. pasteboard) and writes them to the standard output (stdout). The utility is often used for creating new files with the clipboard content or for piping clipboard contents to other commands. It can also be used in shell scripts that may require clipboard content as input. Attackers can abuse this utility in order to collect data from the user clipboard, which may contain passwords or sensitive information. Use this rule to hunt for potential abuse of the utility by looking at the parent process and any potentially suspicious command line content.
System Drawing DLL Load
Detects processes loading "System.Drawing.ni.dll". This could be an indicator of potential Screen Capture.
Compress-Archive Cmdlet Execution
Detects PowerShell scripts that make use of the "Compress-Archive" cmdlet in order to compress folders and files. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
Mail Forwarding/Redirecting Activity Via ExchangePowerShell Cmdlet
Detects email forwarding or redirecting activity via ExchangePowerShell Cmdlet
Inbox Rules Creation Or Update Activity Via ExchangePowerShell Cmdlet
Detects inbox rule creation or update via ExchangePowerShell cmdlet, a technique commonly observed in Business Email Compromise (BEC) attacks to hide emails. The usage of inbox rules can be a sign of a compromised mailbox, where an attacker is attempting to evade detections by suppressing or redirecting incoming emails. Analysts should review these rules in context, validate whether they reflect normal user behavior, and correlate with other indicators such as unusual login activity or recent mailbox rule modifications.
Password Protected Compressed File Extraction Via 7Zip
Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract password protected zip files.
Potentially Suspicious Compression Tool Parameters
Detects potentially suspicious command line arguments of common data compression tools