Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

1,478 rules found for "execution"

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionmediumtest

Dump Ntds.dit To Suspicious Location

Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location

Windowsapplication
TA0002 · Execution
Nasreddine Bencherchali (Nextron Systems)Sun Aug 14windows
Detectioncriticaltest

Audit CVE Event

Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.

Windowsapplication
TA0002 · ExecutionT1203 · Exploitation for Client ExecutionTA0004 · Privilege EscalationT1068 · Exploitation for Privilege Escalation+8
Florian Roth (Nextron Systems)+1Wed Jan 15windows
Detectionhightest

Restricted Software Access By SRP

Detects restricted access to applications by the Software Restriction Policies (SRP) policy

Windowsapplication
TA0008 · Lateral MovementTA0002 · ExecutionTA0005 · Defense EvasionT1072 · Software Deployment Tools
François HubautThu Jan 12windows
Detectionmediumtest

MSI Installation From Suspicious Locations

Detects MSI package installation from suspicious locations

Windowsapplication
TA0002 · Execution
Nasreddine Bencherchali (Nextron Systems)Wed Aug 31windows
Detectionhightest

MSSQL SPProcoption Set

Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started

Windowsapplication
TA0003 · Persistence
Nasreddine Bencherchali (Nextron Systems)Wed Jul 13windows
Detectionhightest

MSSQL XPCmdshell Suspicious Execution

Detects when the MSSQL "xp_cmdshell" stored procedure is used to execute commands

Windowsapplication
TA0002 · Execution
Nasreddine Bencherchali (Nextron Systems)Tue Jul 12windows
Detectionhightest

MSSQL XPCmdshell Option Change

Detects when the MSSQL "xp_cmdshell" stored procedure setting is changed.

Windowsapplication
TA0002 · Execution
Nasreddine Bencherchali (Nextron Systems)Tue Jul 12windows
Detectionlowtest

Remote Access Tool - ScreenConnect Command Execution

Detects command execution via ScreenConnect RMM

Windowsapplication
TA0002 · ExecutionT1059.003 · Windows Command Shell
Ali AlwashaliTue Oct 10windows
Detectionlowtest

Remote Access Tool - ScreenConnect File Transfer

Detects file being transferred via ScreenConnect RMM

Windowsapplication
TA0002 · ExecutionT1059.003 · Windows Command Shell
Ali AlwashaliTue Oct 10windows
Detectionmediumtest

AppLocker Prevented Application or Script from Running

Detects when AppLocker prevents the execution of an Application, DLL, Script, MSI, or Packaged-App from running.

Windowsapplocker
TA0002 · ExecutionT1204.002 · Malicious FileT1059.001 · PowerShellT1059.003 · Windows Command Shell+3
Pushkarev DmitrySun Jun 28windows
Detectionlowtest

Sysinternals Tools AppX Versions Execution

Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths.

Windowsappmodel-runtime
TA0005 · Defense EvasionTA0002 · Execution
Nasreddine Bencherchali (Nextron Systems)Mon Jan 16windows
Detectionmediumexperimental

Windows AppX Deployment Full Trust Package Installation

Detects the installation of MSIX/AppX packages with full trust privileges which run with elevated privileges outside normal AppX container restrictions

Windowsappxdeployment-server
TA0005 · Defense EvasionTA0002 · ExecutionT1204.002 · Malicious FileT1553.005 · Mark-of-the-Web Bypass
Michael Haag+1Mon Nov 03windows
Detectionmediumexperimental

Windows AppX Deployment Unsigned Package Installation

Detects attempts to install unsigned MSIX/AppX packages using the -AllowUnsigned parameter via AppXDeployment-Server events

Windowsappxdeployment-server
TA0005 · Defense EvasionTA0002 · ExecutionT1204.002 · Malicious FileT1553.005 · Mark-of-the-Web Bypass
Michael Haag+1Mon Nov 03windows
Detectionmediumtest

Suspicious Digital Signature Of AppX Package

Detects execution of AppX packages with known suspicious or malicious signature

Windowsappxpackaging-om
TA0005 · Defense EvasionTA0002 · Execution
Nasreddine Bencherchali (Nextron Systems)Mon Jan 16windows
Detectionlowexperimental

CodeIntegrity - Unmet Signing Level Requirements By File Under Validation

Detects attempted file load events that did not meet the signing level requirements. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired. This event is best correlated with EID 3089 to determine the error of the validation.

Windowscodeintegrity-operational
TA0002 · Execution
Florian Roth (Nextron Systems)+1Thu Jan 20windows
Detectionhightest

Loading Diagcab Package From Remote Path

Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability

Windowsdiagnosis-scripted
TA0002 · Execution
Nasreddine Bencherchali (Nextron Systems)Sun Aug 14windows
Detectionlowstable

Successful Account Login Via WMI

Detects successful logon attempts performed with WMI

Windowssecurity
TA0002 · ExecutionT1047 · Windows Management Instrumentation
Thomas PatzkeWed Dec 04windows
Detectionhightest

Hacktool Ruler

This events that are generated when using the hacktool Ruler by Sensepost

Windowssecurity
TA0005 · Defense EvasionTA0007 · DiscoveryTA0002 · ExecutionTA0009 · Collection+5
Florian Roth (Nextron Systems)Wed May 31windows
Detectionmediumtest

Remote Task Creation via ATSVC Named Pipe

Detects remote task creation via at.exe or API interacting with ATSVC namedpipe

Windowssecurity
TA0004 · Privilege EscalationTA0002 · ExecutionTA0008 · Lateral MovementTA0003 · Persistence+3
Samir BousseadenWed Apr 03windows
Detectionhightest

Security Eventlog Cleared

One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution

Windowssecurity
TA0005 · Defense EvasionT1070.001 · Clear Windows Event Logs2016-04-002 · CAR 2016-04-002
Florian Roth (Nextron Systems)Tue Jan 10windows
Detectionhightest

CobaltStrike Service Installations - Security

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement

Windowssecurity
TA0003 · PersistenceTA0002 · ExecutionTA0004 · Privilege EscalationTA0008 · Lateral Movement+3
Florian Roth (Nextron Systems)+1Wed May 26windows
Detectionhightest

Persistence and Execution at Scale via GPO Scheduled Task

Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale

Windowssecurity
TA0004 · Privilege EscalationTA0002 · ExecutionTA0003 · PersistenceTA0008 · Lateral Movement+1
Samir BousseadenWed Apr 03windows
Detectionhightest

HackTool - EDRSilencer Execution - Filter Added

Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names.

Windowssecurity
TA0005 · Defense EvasionT1562 · Impair Defenses
Thodoris PolyzosMon Jan 29windows
Detectionhightest

HackTool - NoFilter Execution

Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators

Windowssecurity
TA0005 · Defense EvasionTA0004 · Privilege EscalationT1134 · Access Token ManipulationT1134.001 · Token Impersonation/Theft
Stamatis Chatzimangou (st0pp3r)Fri Jan 05windows
Detectionhightest

Impacket PsExec Execution

Detects execution of Impacket's psexec.py.

Windowssecurity
TA0008 · Lateral MovementT1021.002 · SMB/Windows Admin Shares
Bhabesh RajMon Dec 14windows
Detectionhightest

Invoke-Obfuscation CLIP+ Launcher - Security

Detects Obfuscated use of Clip.exe to execute PowerShell

Windowssecurity
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Jonathan Cheong+1Tue Oct 13windows
Detectionhightest

Invoke-Obfuscation STDIN+ Launcher - Security

Detects Obfuscated use of stdin to execute PowerShell

Windowssecurity
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Jonathan Cheong+1Thu Oct 15windows
Detectionhightest

Invoke-Obfuscation VAR+ Launcher - Security

Detects Obfuscated use of Environment Variables to execute PowerShell

Windowssecurity
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Jonathan Cheong+1Thu Oct 15windows
Detectionmediumtest

Invoke-Obfuscation COMPRESS OBFUSCATION - Security

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Windowssecurity
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Timur Zinniatullin+1Sun Oct 18windows
Detectionmediumtest

Invoke-Obfuscation RUNDLL LAUNCHER - Security

Detects Obfuscated Powershell via RUNDLL LAUNCHER

Windowssecurity
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Timur Zinniatullin+1Sun Oct 18windows
Detectionhightest

Invoke-Obfuscation Via Stdin - Security

Detects Obfuscated Powershell via Stdin in Scripts

Windowssecurity
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Mon Oct 12windows
Detectionhightest

Invoke-Obfuscation Via Use Clip - Security

Detects Obfuscated Powershell via use Clip.exe in Scripts

Windowssecurity
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Fri Oct 09windows
Detectionhightest

Invoke-Obfuscation Via Use MSHTA - Security

Detects Obfuscated Powershell via use MSHTA in Scripts

Windowssecurity
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Fri Oct 09windows
Detectionhightest

Invoke-Obfuscation Via Use Rundll32 - Security

Detects Obfuscated Powershell via use Rundll32 in Scripts

Windowssecurity
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Fri Oct 09windows
Detectionhightest

Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security

Detects Obfuscated Powershell via VAR++ LAUNCHER

Windowssecurity
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Timur Zinniatullin+1Tue Oct 13windows
Detectionhightest

Credential Dumping Tools Service Execution - Security

Detects well-known credential dumping tools execution via service execution events

Windowssecurity
TA0006 · Credential AccessTA0002 · ExecutionT1003.001 · LSASS MemoryT1003.002 · Security Account Manager+5
Florian Roth (Nextron Systems)+3Sun Mar 05windows
Detectioncriticaltest

WCE wceaux.dll Access

Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host

Windowssecurity
TA0006 · Credential AccessT1003 · OS Credential DumpingS0005 · S0005
Thomas PatzkeWed Jun 14windows
Detectionhightest

Metasploit Or Impacket Service Installation Via SMB PsExec

Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation

Windowssecurity
TA0008 · Lateral MovementT1021.002 · SMB/Windows Admin SharesT1570 · Lateral Tool TransferTA0002 · Execution+1
Bartlomiej Czyz+1Thu Jan 21windows
Detectionhightest

PowerShell Scripts Installed as Services - Security

Detects powershell script installed as a Service

Windowssecurity
TA0002 · ExecutionT1569.002 · Service Execution
oscd.community+1Tue Oct 06windows
Detectionhightest

Remote PowerShell Sessions Network Connections (WinRM)

Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986

Windowssecurity
TA0002 · ExecutionT1059.001 · PowerShell
Roberto Rodriguez (Cyb3rWard0g)Thu Sep 12windows
Detectionmediumtest

Remote Access Tool Services Have Been Installed - Security

Detects service installation of different remote access tools software. These software are often abused by threat actors to perform

Windowssecurity
TA0004 · Privilege EscalationTA0003 · PersistenceTA0002 · ExecutionT1543.003 · Windows Service+1
Connor Martin+1Fri Dec 23windows
Detectionhightest

Suspicious PsExec Execution

detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one

Windowssecurity
TA0008 · Lateral MovementT1021.002 · SMB/Windows Admin Shares
Samir BousseadenWed Apr 03windows
Detectionhightest

Suspicious Scheduled Task Creation

Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.

Windowssecurity
TA0002 · ExecutionTA0004 · Privilege EscalationTA0003 · PersistenceT1053.005 · Scheduled Task
Nasreddine Bencherchali (Nextron Systems)Mon Dec 05windows
Detectionhightest

Important Scheduled Task Deleted/Disabled

Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities

Windowssecurity
TA0002 · ExecutionTA0004 · Privilege EscalationTA0003 · PersistenceT1053.005 · Scheduled Task
Nasreddine Bencherchali (Nextron Systems)Mon Dec 05windows
Detectionhightest

Suspicious Scheduled Task Update

Detects update to a scheduled task event that contain suspicious keywords.

Windowssecurity
TA0002 · ExecutionTA0004 · Privilege EscalationTA0003 · PersistenceT1053.005 · Scheduled Task
Nasreddine Bencherchali (Nextron Systems)Mon Dec 05windows
Detectionhightest

T1047 Wmiprvse Wbemcomn DLL Hijack

Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network for a WMI DLL Hijack scenario.

Windowssecurity
TA0002 · ExecutionT1047 · Windows Management InstrumentationTA0008 · Lateral MovementT1021.002 · SMB/Windows Admin Shares
Roberto Rodriguez (Cyb3rWard0g)+1Mon Oct 12windows
Detectionmediumtest

Suspicious Application Installed

Detects suspicious application installed by looking at the added shortcut to the app resolver cache

Windowsshell-core
TA0002 · Execution
Nasreddine Bencherchali (Nextron Systems)Sun Aug 14windows
Detectionmediumtest

Suspicious Rejected SMB Guest Logon From IP

Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service

Windowssmbclient-security
TA0006 · Credential AccessT1110.001 · Password Guessing
Florian Roth (Nextron Systems)+2Wed Jun 30windows
134531