Sigma Rules
1,478 rules found for "execution"
Grixba Malware Reconnaissance Activity
Detects execution of the Grixba reconnaissance tool based on suspicious command-line parameter combinations. This tool is used by the Play ransomware group for network enumeration, data gathering, and event log clearing.
Katz Stealer DLL Loaded
Detects loading of DLLs associated with Katz Stealer malware 2025 variants. Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems. The process that loads these DLLs are very likely to be malicious.
Kalambur Backdoor Curl TOR SOCKS Proxy Execution
Detects the execution of the "curl.exe" command, referencing "SOCKS" and ".onion" domains, which could be indicative of Kalambur backdoor activity.
Shai-Hulud Malware Indicators - Linux
Detects potential Shai-Hulud malware indicators based on specific command line arguments associated with its execution.
Shai-Hulud Malicious Bun Execution - Linux
Detects the execution of `bun_environment.js` via the Bun runtime, a behavior associated with the Shai-Hulud "Second Coming" NPM supply chain attack. The malware uses a `setup_bun.js` script to install the Bun runtime if not present, and then executes the malicious `bun_environment.js` payload.
Shai-Hulud 2.0 Malicious NPM Package Installation - Linux
Detects the command-line installation of specific malicious npm packages and versions associated with the Shai-Hulud 2.0 supply chain attack.
Shai-Hulud Malware Indicators - Windows
Detects potential Shai-Hulud malware indicators based on specific command line arguments associated with its execution.
Shai-Hulud Malicious Bun Execution
Detects the execution of `bun_environment.js` via the Bun runtime, a behavior associated with the Shai-Hulud "Second Coming" NPM supply chain attack. The malware uses a `setup_bun.js` script to install the Bun runtime if not present, and then executes the malicious `bun_environment.js` payload.
Shai-Hulud 2.0 Malicious NPM Package Installation
Detects the command-line installation of specific malicious npm packages and versions associated with the Shai-Hulud 2.0 supply chain attack.
Axios NPM Compromise Indicators - Linux
Detects the Linux-specific execution chain of the plain-crypto-js malicious npm dependency by Axios NPM package, including payload download via curl and detached execution using nohup and python3. On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency (plain-crypto-js@4.2.1) that executed a postinstall script as a cross-platform RAT dropper. The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection.
Axios NPM Compromise Indicators - macOS
Detects the macOS-specific execution chain of the plain-crypto-js malicious npm dependency in Axios NPM Package, including AppleScript execution via osascript, payload download, permission modification, execution, and cleanup.
Axios NPM Compromise Indicators - Windows
Detects the specific Windows execution chain and process tree associated with the Axios NPM supply chain compromise. On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency (plain-crypto-js@4.2.1) that executed a postinstall script as a cross-platform RAT dropper. The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection. The attack used cscript.exe (VBScript), curl.exe (C2), and PowerShell masquerading as Windows Terminal.
LiteLLM / TeamPCP Supply Chain Attack Indicators
Detects process executions related to the backdoored versions of LiteLLM (v1.82.7 or v1.82.8). In March 2026, a supply chain attack was discovered involving the popular open-source LLM framework LiteLLM by Threat Actor TeamPCP. The malicious package harvests every credential on the system, encrypts and exfiltrates them, and installs a persistent C2 backdoor.
Python Path Configuration File Creation - Linux
Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence. Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script. Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS).
Potentially Suspicious Long Filename Pattern - Linux
Detects the creation of files with unusually long filenames (100 or more characters), which may indicate obfuscation techniques used by malware such as VShell. This is a hunting rule to identify potential threats that use long filenames to evade detection. Keep in mind that on a legitimate system, such long filenames can and are common. Run this detection in the context of threat hunting rather than alerting. Adjust the threshold of filename length as needed based on your environment.
Python Path Configuration File Creation - MacOS
Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence. Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script. Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS).
Clipboard Data Collection Via Pbpaste
Detects execution of the "pbpaste" utility, which retrieves the contents of the clipboard (a.k.a. pasteboard) and writes them to the standard output (stdout). The utility is often used for creating new files with the clipboard content or for piping clipboard contents to other commands. It can also be used in shell scripts that may require clipboard content as input. Attackers can abuse this utility in order to collect data from the user clipboard, which may contain passwords or sensitive information. Use this rule to hunt for potential abuse of the utility by looking at the parent process and any potentially suspicious command line content.
Successful MSIX/AppX Package Installation
Detects successful MSIX/AppX package installations on Windows systems by monitoring EventID 854 in the Microsoft-Windows-AppXDeployment-Server/Operational log. While most installations are legitimate, this can help identify unauthorized or suspicious package installations. It is crucial to monitor such events as threat actors may exploit MSIX/AppX packages to deliver and execute malicious payloads.
Scheduled Task Deletion
Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \TASKNAME
Remote Thread Creation Via PowerShell
Detects the creation of a remote thread from a Powershell process to another process
File Creation Date Changed to Another Year
Detects when the file creation time is changed to a year before 2020. Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system. Note that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity. In order to use this rule in production, it is recommended first baseline normal behavior in your environment and then tune the rule accordingly. Hunting Recommendation: Focus on files with creation times set to years significantly before the current date, especially those in user-writable directories. Correlate with process execution logs to identify the source of the modification and investigate any unsigned or suspicious binaries involved.
Python Path Configuration File Creation - Windows
Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence. Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script. Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS).
Scheduled Task Created - FileCreation
Detects the creation of a scheduled task via file creation.
VsCode Code Tunnel Execution File Indicator
Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility. Attackers can abuse this functionality to establish a C2 channel
Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location
Detects the loading of the "taskschd.dll" module from a process that located in a potentially suspicious or uncommon directory. The loading of this DLL might indicate that the application have the capability to create a scheduled task via the "Schedule.Service" COM object. Investigation of the loading application and its behavior is required to determining if its malicious.
Microsoft Excel Add-In Loaded
Detects Microsoft Excel loading an Add-In (.xll) file
Microsoft Word Add-In Loaded
Detects Microsoft Word loading an Add-In (.wll) file which can be used by threat actors for initial access or persistence.
WMI Module Loaded By Uncommon Process
Detects WMI modules being loaded by an uncommon process
Dfsvc.EXE Network Connection To Non-Local IPs
Detects network connections from "dfsvc.exe" used to handled ClickOnce applications to non-local IPs
Dfsvc.EXE Initiated Network Connection Over Uncommon Port
Detects an initiated network connection over uncommon ports from "dfsvc.exe". A utility used to handled ClickOnce applications.
Dllhost.EXE Initiated Network Connection To Non-Local IP Address
Detects Dllhost.EXE initiating a network connection to a non-local IP address. Aside from Microsoft own IP range that needs to be excluded. Network communication from Dllhost will depend entirely on the hosted DLL. An initial baseline is recommended before deployment.
HH.EXE Initiated HTTP Network Connection
Detects a network connection initiated by the "hh.exe" process to HTTP destination ports, which could indicate the execution/download of remotely hosted .chm files.
Network Connection Initiated By PowerShell Process
Detects a network connection that was initiated from a PowerShell process. Often times malicious powershell scripts download additional payloads or communicate back to command and control channels via uncommon ports or IPs. Use this rule as a basis for hunting for anomalies.
PsExec Default Named Pipe
Detects PsExec service default pipe creation
Uncommon PowerShell Hosts
Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
bXOR Operator Usage In PowerShell Command Line - PowerShell Classic
Detects powershell execution with that make use of to the bxor (Bitwise XOR). Attackers might use as an alternative obfuscation method to Base64 encoded commands. Investigate the CommandLine and process tree to determine if the activity is malicious.
Local Firewall Rules Enumeration Via NetFirewallRule Cmdlet
Detects execution of "Get-NetFirewallRule" or "Show-NetFirewallRule" to enumerate the local firewall rules on a host.
Compress-Archive Cmdlet Execution
Detects PowerShell scripts that make use of the "Compress-Archive" cmdlet in order to compress folders and files. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet
Detects the execution of a PowerShell script with a call to the "Send-MailMessage" cmdlet along with the "-Attachments" flag. This could be a potential sign of data exfiltration via Email. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
WinAPI Library Calls Via PowerShell Scripts
Detects calls to WinAPI libraries from PowerShell scripts. Attackers can often leverage these APIs to avoid detection based on typical PowerShell function calls. Use this rule as a basis to hunt for interesting scripts.
WinAPI Function Calls Via PowerShell Scripts
Detects calls to WinAPI functions from PowerShell scripts. Attackers can often leverage these APIs to avoid detection based on typical PowerShell function calls. Use this rule as a basis to hunt for interesting scripts.
Set Files as System Files Using Attrib.EXE
Detects the execution of "attrib" with the "+s" flag to mark files as system files
Potential BOINC Software Execution (UC-Berkeley Signature)
Detects the use of software that is related to the University of California, Berkeley via metadata information. This indicates it may be related to BOINC software and can be used maliciously if unauthorized.
Potential File Override/Append Via SET Command
Detects the use of the "SET" internal command of Cmd.EXE with the /p flag followed directly by an "=" sign. Attackers used this technique along with an append redirection operator ">>" in order to update the content of a file indirectly. Ex: cmd /c >> example.txt set /p="test data". This will append "test data" to contents of "example.txt". The typical use case of the "set /p=" command is to prompt the user for input.
Headless Process Launched Via Conhost.EXE
Detects the launch of a child process via "conhost.exe" with the "--headless" flag. The "--headless" flag hides the windows from the user upon execution.
Dynamic .NET Compilation Via Csc.EXE - Hunting
Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.
Curl.EXE Execution
Detects a curl process start on Windows, which could indicates a file download from a remote location or a simple web request to a remote server
Potential Data Exfiltration Via Curl.EXE
Detects the execution of the "curl" process with "upload" flags. Which might indicate potential data exfiltration