Sigma Rules
3,332 rules found
Potential Password Spraying Attempt Using Dsacls.EXE
Detects possible password spraying attempts using Dsacls
Domain Trust Discovery Via Dsquery
Detects execution of "dsquery.exe" for domain trust discovery
Suspicious Kernel Dump Using Dtrace
Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1
Potential Windows Defender AV Bypass Via Dump64.EXE Rename
Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder. Currently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage.
DumpMinitool Execution
Detects the use of "DumpMinitool.exe" a tool that allows the dump of process memory via the use of the "MiniDumpWriteDump"
Suspicious DumpMinitool Execution
Detects suspicious ways to use the "DumpMinitool.exe" binary
New Capture Session Launched Via DXCap.EXE
Detects the execution of "DXCap.EXE" with the "-c" flag, which allows a user to launch any arbitrary binary or windows package through DXCap itself. This can be abused to potentially bypass application whitelisting.
Esentutl Gather Credentials
Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.
Copying Sensitive Files with Credential Data
Files with well-known filenames (sensitive files with credential data) copying
Esentutl Steals Browser Information
One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe
Potentially Suspicious Event Viewer Child Process
Detects uncommon or suspicious child processes of "eventvwr.exe" which might indicate a UAC bypass attempt
Potentially Suspicious Cabinet File Expansion
Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks
Explorer Process Tree Break
Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from "svchost"
File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell
Detects the initial execution of "cmd.exe" which spawns "explorer.exe" with the appropriate command line arguments for opening the "My Computer" folder.
Explorer NOUACCHECK Flag
Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks
Remote File Download Via Findstr.EXE
Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry.
Findstr GPP Passwords
Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.
Findstr Launching .lnk File
Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack
LSASS Process Reconnaissance Via Findstr.EXE
Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID
Permission Misconfiguration Reconnaissance Via Findstr.EXE
Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords. This was seen being used in combination with "icacls" and other utilities to spot misconfigured files or folders permissions.
Recon Command Output Piped To Findstr.EXE
Detects the execution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example. Attackers often time use this technique to extract specific information they require in their reconnaissance phase.
Security Tools Keyword Lookup Via Findstr.EXE
Detects execution of "findstr" to search for common names of security tools. Attackers often pipe the results of recon commands such as "tasklist" or "whoami" to "findstr" in order to filter out the results. This detection focuses on the keywords that the attacker might use as a filter.
Insensitive Subfolder Search Via Findstr.EXE
Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.
Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE
Detects usage of "findstr" with the argument "385201". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).
Finger.EXE Execution
Detects execution of the "finger.exe" utility. Finger.EXE or "TCPIP Finger Command" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon. Due to the old nature of this utility and the rareness of machines having the finger service. Any execution of "finger.exe" can be considered "suspicious" and worth investigating.
Filter Driver Unloaded Via Fltmc.EXE
Detect filter driver unloading activity via fltmc.exe
Sysmon Driver Unloaded Via Fltmc.EXE
Detects possible Sysmon filter driver unloaded via fltmc.exe
Forfiles.EXE Child Process Masquerading
Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory.
Forfiles Command Execution
Detects the execution of "forfiles" with the "/c" flag. While this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary. Can be used to bypass application whitelisting.
Uncommon FileSystem Load Attempt By Format.com
Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which "format.com" is used to load malicious DLL files or other programs.
Use of FSharp Interpreters
Detects the execution of FSharp Interpreters "FsiAnyCpu.exe" and "FSi.exe" Both can be used for AWL bypass and to execute F# code via scripts or inline.
Fsutil Drive Enumeration
Attackers may leverage fsutil to enumerated connected drives.
Potentially Suspicious NTFS Symlink Behavior Modification
Detects the modification of NTFS symbolic link behavior using fsutil, which could be used to enable remote to local or remote to remote symlinks for potential attacks.
Potential Arbitrary Command Execution Via FTP.EXE
Detects execution of "ftp.exe" script with the "-s" or "/s" flag and any child processes ran by "ftp.exe".
Arbitrary File Download Via GfxDownloadWrapper.EXE
Detects execution of GfxDownloadWrapper.exe with a URL as an argument to download file.
Suspicious Git Clone
Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious
Github Self-Hosted Runner Execution
Detects GitHub self-hosted runners executing workflows on local infrastructure that could be abused for persistence and code execution. Shai-Hulud is an npm supply chain worm targeting CI/CD environments. It installs runners on compromised systems to maintain access after credential theft, leveraging their access to secrets and internal networks.
Potentially Suspicious GoogleUpdate Child Process
Detects potentially suspicious child processes of "GoogleUpdate.exe"
File Decryption Using Gpg4win
Detects usage of Gpg4win to decrypt files
File Encryption Using Gpg4win
Detects usage of Gpg4win to encrypt files
Portable Gpg.EXE Execution
Detects the execution of "gpg.exe" from uncommon location. Often used by ransomware and loaders to decrypt/encrypt data.
File Encryption/Decryption Via Gpg4win From Suspicious Locations
Detects usage of Gpg4win to encrypt/decrypt files located in potentially suspicious locations.
Gpresult Display Group Policy Information
Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information
Arbitrary Binary Execution Using GUP Utility
Detects execution of the Notepad++ updater (gup) to launch other commands or executables
File Download Using Notepad++ GUP Utility
Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.
Suspicious GUP Usage
Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks
HH.EXE Execution
Detects the execution of "hh.exe" to open ".chm" files.
Remote CHM File Download/Execution Via HH.EXE
Detects the usage of "hh.exe" to execute/download remotely hosted ".chm" files.