Sigma Rules
3,332 rules found
Suspicious High IntegrityLevel Conhost Legacy Option
ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context.
Conhost.exe CommandLine Path Traversal
detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking
Uncommon Child Process Of Conhost.EXE
Detects uncommon "conhost" child processes. This could be a sign of "conhost" usage as a LOLBIN or potential process injection activity.
Conhost Spawned By Uncommon Parent Process
Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.
Control Panel Items
Detects the malicious use of a control panel item
CreateDump Process Dump
Detects uses of the createdump.exe LOLOBIN utility to dump process memory
Dynamic .NET Compilation Via Csc.EXE
Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.
Csc.EXE Execution Form Potentially Suspicious Parent
Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery.
Suspicious Csi.exe Usage
Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'
Suspicious Use of CSharp Interactive Console
Detects the execution of CSharp interactive console by PowerShell
Active Directory Structure Export Via Csvde.EXE
Detects the execution of "csvde.exe" in order to export organizational Active Directory structure.
Potential Cookies Session Hijacking
Detects execution of "curl.exe" with the "-c" flag in order to save cookie data.
Curl Web Request With Potential Custom User-Agent
Detects execution of "curl.exe" with a potential custom "User-Agent". Attackers can leverage this to download or exfiltrate data via "curl" to a domain that only accept specific "User-Agent" strings
File Download From IP URL Via Curl.EXE
Detects file downloads directly from IP address URL using curl.exe
Suspicious File Download From IP Via Curl.EXE
Detects potentially suspicious file downloads directly from IP addresses using curl.exe
Suspicious File Download From File Sharing Domain Via Curl.EXE
Detects potentially suspicious file download from file sharing domains using curl.exe
Insecure Transfer Via Curl.EXE
Detects execution of "curl.exe" with the "--insecure" flag.
Insecure Proxy/DOH Transfer Via Curl.EXE
Detects execution of "curl.exe" with the "insecure" flag over proxy or DOH.
Local File Read Using Curl.EXE
Detects execution of "curl.exe" with the "file://" protocol handler in order to read local files.
Suspicious Curl.EXE Download
Detects a suspicious curl process start on Windows and outputs the requested document to a local file
Suspicious CustomShellHost Execution
Detects the execution of CustomShellHost.exe where the child isn't located in 'C:\Windows\explorer.exe'. CustomShellHost is a known LOLBin that can be abused by attackers for defense evasion techniques.
ManageEngine Endpoint Central Dctask64.EXE Potential Abuse
Detects the execution of "dctask64.exe", a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central. This binary can be abused for DLL injection, arbitrary command and process execution.
Uncommon Child Process Of Defaultpack.EXE
Detects uncommon child processes of "DefaultPack.EXE" binary as a proxy to launch other programs
Remote File Download Via Desktopimgdownldr Utility
Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.
Suspicious Desktopimgdownldr Command
Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet
DeviceCredentialDeployment Execution
Detects the execution of DeviceCredentialDeployment to hide a process from view.
Potential DLL Sideloading Via DeviceEnroller.EXE
Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named "ShellChromeAPI.dll". Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
Arbitrary MSI Download Via Devinit.EXE
Detects a certain command line flag combination used by "devinit.exe", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system
Potentially Suspicious Child Process Of ClickOnce Application
Detects potentially suspicious child processes of a ClickOnce deployment application
DirLister Execution
Detect the usage of "DirLister.exe" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files.
Potentially Suspicious Child Process Of DiskShadow.EXE
Detects potentially suspicious child processes of "Diskshadow.exe". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules.
Diskshadow Script Mode - Uncommon Script Extension Execution
Detects execution of "Diskshadow.exe" in script mode to execute an script with a potentially uncommon extension. Initial baselining of the allowed extension list is required.
Diskshadow Script Mode - Execution From Potential Suspicious Location
Detects execution of "Diskshadow.exe" in script mode using the "/s" flag where the script is located in a potentially suspicious location.
PowerShell Web Access Feature Enabled Via DISM
Detects the use of DISM to enable the PowerShell Web Access feature, which could be used for remote access and potential abuse
Dism Remove Online Package
Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
DLL Sideloading by VMware Xfer Utility
Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL
Dllhost.EXE Execution Anomaly
Detects a "dllhost" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.
DNS Exfiltration and Tunneling Tools Execution
Well-known DNS Exfiltration tools execution
Unusual Child Process of dns.exe
Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
Potential Discovery Activity Via Dnscmd.EXE
Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.
New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE
Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)
Potential Application Whitelisting Bypass via Dnx.EXE
Detects the execution of Dnx.EXE. The Dnx utility allows for the execution of C# code. Attackers might abuse this in order to bypass application whitelisting.
Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
Detects execution of arbitrary DLLs or unsigned code via a ".csproj" files via Dotnet.EXE.
Binary Proxy Execution Via Dotnet-Trace.EXE
Detects commandline arguments for executing a child process via dotnet-trace.exe
Process Memory Dump Via Dotnet-Dump
Detects the execution of "dotnet-dump" with the "collect" flag. The execution could indicate potential process dumping of critical processes such as LSASS.
Potential Recon Activity Using DriverQuery.EXE
Detect usage of the "driverquery" utility to perform reconnaissance on installed drivers
DriverQuery.EXE Execution
Detect usage of the "driverquery" utility. Which can be used to perform reconnaissance on installed drivers
Potentially Over Permissive Permissions Granted Using Dsacls.EXE
Detects usage of Dsacls to grant over permissive permissions