Sigma Rules
3,707 rules found
LSASS Access From Potentially White-Listed Processes
Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference
Uncommon Process Access Rights For Target Image
Detects process access request to uncommon target images with a "PROCESS_ALL_ACCESS" access mask.
Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs
Detects suspicious process access to LSASS.exe from processes located in uncommon locations with dbgcore.dll or dbghelp.dll in the call trace. These DLLs contain functions like MiniDumpWriteDump that can be abused for credential dumping purposes. While modern tools like Mimikatz have moved to using ntdll.dll, dbgcore.dll and dbghelp.dll are still used by basic credential dumping utilities and legacy tools for LSASS memory access and process suspension techniques.
Potential Direct Syscall of NtOpenProcess
Detects potential calls to NtOpenProcess directly from NTDLL.
Credential Dumping Attempt Via Svchost
Detects when a process tries to access the memory of svchost to potentially dump credentials.
Suspicious Svchost Process Access
Detects suspicious access to the "svchost" process such as that used by Invoke-Phantom to kill the thread of the Windows event logging service.
Function Call From Undocumented COM Interface EditionUpgradeManager
Detects function calls from the EditionUpgradeManager COM interface. Which is an interface that is not used by standard executables.
UAC Bypass Using WOW64 Logger DLL Hijack
Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)
Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze
Detects process access events where WerFaultSecure accesses MsMpEng.exe with dbgcore.dll or dbghelp.dll in the call trace, indicating potential EDR freeze techniques. This technique leverages WerFaultSecure.exe running as a Protected Process Light (PPL) with WinTCB protection level to call MiniDumpWriteDump and suspend EDR/AV processes, allowing malicious activity to execute undetected during the suspension period.
7Zip Compressing Dump Files
Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.
Compress Data and Lock With Password for Exfiltration With 7-ZIP
An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
Potential DLL Injection Via AccCheckConsole
Detects the execution "AccCheckConsole" a command-line tool for verifying the accessibility implementation of an application's UI. One of the tests that this checker can run are called "verification routine", which tests for things like Consistency, Navigation, etc. The tool allows a user to provide a DLL that can contain a custom "verification routine". An attacker can build such DLLs and pass it via the CLI, which would then be loaded in the context of the "AccCheckConsole" utility.
Suspicious AddinUtil.EXE CommandLine Execution
Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with suspicious Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.
Uncommon Child Process Of AddinUtil.EXE
Detects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store payload.
Uncommon AddinUtil.EXE CommandLine Execution
Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.
AddinUtil.EXE Execution From Uncommon Directory
Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory.
Potential Adplus.EXE Abuse
Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.
AgentExecutor PowerShell Execution
Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument
Suspicious AgentExecutor PowerShell Execution
Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument
Windows AMSI Related Registry Tampering Via CommandLine
Detects tampering of AMSI (Anti-Malware Scan Interface) related registry values via command line tools such as reg.exe or PowerShell. AMSI provides a generic interface for applications and services to integrate with antimalware products. Adversaries may disable AMSI to evade detection of malicious scripts and code execution.
Uncommon Child Process Of Appvlp.EXE
Detects uncommon child processes of Appvlp.EXE Appvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse "AppVLP" to execute shell commands. Normally, this binary is used for Application Virtualization, but it can also be abused to circumvent the ASR file path rule folder or to mark a file as a system file.
Suspicious ArcSOC.exe Child Process
Detects script interpreters, command-line tools, and similar suspicious child processes of ArcSOC.exe. ArcSOC.exe is the process name which hosts ArcGIS Server REST services. If an attacker compromises an ArcGIS Server system and uploads a malicious Server Object Extension (SOE), they can send crafted requests to the corresponding service endpoint and remotely execute code from the ArcSOC.exe process.
AspNetCompiler Execution
Detects execution of "aspnet_compiler.exe" which can be abused to compile and execute C# code.
Suspicious Child Process of AspNetCompiler
Detects potentially suspicious child processes of "aspnet_compiler.exe".
Potentially Suspicious ASP.NET Compilation Via AspNetCompiler
Detects execution of "aspnet_compiler.exe" with potentially suspicious paths for compilation.
Interactive AT Job
Detects an interactive AT job, which may be used as a form of privilege escalation.
Uncommon Assistive Technology Applications Execution Via AtBroker.EXE
Detects the start of a non built-in assistive technology applications via "Atbroker.EXE".
Hiding Files with Attrib.exe
Detects usage of attrib.exe to hide files from users.
Set Suspicious Files as System Files Using Attrib.EXE
Detects the usage of attrib with the "+s" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs
Audit Policy Tampering Via NT Resource Kit Auditpol
Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
Audit Policy Tampering Via Auditpol
Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
Suspicious Autorun Registry Modified via WMI
Detects suspicious activity where the WMIC process is used to create an autorun registry entry via reg.exe, which is often indicative of persistence mechanisms employed by malware.
Suspicious BitLocker Access Agent Update Utility Execution
Detects the execution of the BitLocker Access Agent Update Utility (baaupdate.exe) which is not a common parent process for other processes. Suspicious child processes spawned by baaupdate.exe could indicate an attempt at lateral movement via BitLocker DCOM & COM Hijacking.
Indirect Inline Command Execution Via Bash.EXE
Detects execution of Microsoft bash launcher with the "-c" flag. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.
Indirect Command Execution From Script File Via Bash.EXE
Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.
Boot Configuration Tampering Via Bcdedit.EXE
Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.
Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE
Detects potential malicious and unauthorized usage of bcdedit.exe
Data Export From MSSQL Table Via BCP.EXE
Detects the execution of the BCP utility in order to export data from the database. Attackers were seen saving their malware to a database column or table and then later extracting it via "bcp.exe" into a file.
Suspicious Child Process Of BgInfo.EXE
Detects suspicious child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
Uncommon Child Process Of BgInfo.EXE
Detects uncommon child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
BitLockerTogo.EXE Execution
Detects the execution of "BitLockerToGo.EXE". BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of, USB flash drives, SD cards, External hard disk drives, Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system. This is a rarely used application and usage of it at all is worth investigating. Malware such as Lumma stealer has been seen using this process as a target for process hollowing.
File Download Via Bitsadmin
Detects usage of bitsadmin downloading a file
Suspicious Download From Direct IP Via Bitsadmin
Detects usage of bitsadmin downloading a file using an URL that contains an IP
Suspicious Download From File-Sharing Website Via Bitsadmin
Detects usage of bitsadmin downloading a file from a suspicious domain
File With Suspicious Extension Downloaded Via Bitsadmin
Detects usage of bitsadmin downloading a file with a suspicious extension
File Download Via Bitsadmin To A Suspicious Target Folder
Detects usage of bitsadmin downloading a file to a suspicious target folder
Monitoring For Persistence Via BITS
BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded.
Potential Data Stealing Via Chromium Headless Debugging
Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control