Sigma Rules
171 rules found for "impact"
Suspicious Execution of Shutdown to Log Out
Detects the rare use of the command line tool shutdown to logoff a user
Potential Crypto Mining Activity
Detects command line parameters or strings often used by crypto miners
Sensitive File Access Via Volume Shadow Copy Backup
Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit)
Suspicious Windows Service Tampering
Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts
Shadow Copies Deletion Using Operating Systems Utilities
Shadow Copies deletion using operating systems utilities
Weak or Abused Passwords In CLI
Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline
Potential File Overwrite Via Sysinternals SDelete
Detects the use of SDelete to erase a file not the free space
All Backups Deleted Via Wbadmin.EXE
Detects the deletion of all backups or system state backups via "wbadmin.exe". This technique is used by numerous ransomware families and actors. This may only be successful on server platforms that have Windows Backup enabled.
Windows Backup Deleted Via Wbadmin.EXE
Detects the deletion of backups or system state backups via "wbadmin.exe". This technique is used by numerous ransomware families and actors. This may only be successful on server platforms that have Windows Backup enabled.
File Recovery From Backup Via Wbadmin.EXE
Detects the recovery of files from backups via "wbadmin.exe". Attackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials.
Potentially Suspicious Desktop Background Change Via Registry
Detects registry value settings that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.
Registry Disable System Restore
Detects the modification of the registry to disable a system restore on the computer
New Root or CA or AuthRoot Certificate to Store
Detects the addition of new root, CA or AuthRoot certificates to the Windows registry
Potential Ransomware Activity Using LegalNotice Message
Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry values where the message set contains keywords often used in ransomware ransom messages
WannaCry Ransomware Activity
Detects WannaCry ransomware activity
Potential Dtrack RAT Activity
Detects potential Dtrack RAT activity via specific process patterns
LockerGoga Ransomware Activity
Detects LockerGoga ransomware activity via specific command line.
Potential Maze Ransomware Activity
Detects specific process characteristics of Maze ransomware word document droppers
Potential BlackByte Ransomware Activity
Detects command line patterns used by BlackByte ransomware in different operations
Potential Conti Ransomware Activity
Detects a specific command used by the Conti ransomware group
Potential CVE-2022-21587 Exploitation Attempt
Detects potential exploitation attempts of CVE-2022-21587 an arbitrary file upload vulnerability impacting Oracle E-Business Suite (EBS). CVE-2022-21587 can lead to unauthenticated remote code execution.
BlueSky Ransomware Artefacts
Detect access to files and shares with names and extensions used by BlueSky ransomware which could indicate a current or previous encryption attempt.
CVE-2024-49113 Exploitation Attempt - LDAP Nightmare
Detects exploitation attempt of CVE-2024-49113 known as LDAP Nightmare, based on "Application Error" log where the faulting application is "lsass.exe" and the faulting module is "WLDAP32.dll".
Potential Exploitation of CVE-2025-4427/4428 Ivanti EPMM Pre-Auth RCE
Detects potential exploitation of a chained vulnerability attack targeting Ivanti EPMM 12.5.0.0. CVE-2025-4427 allows unauthenticated access to protected API endpoints via an authentication bypass, which can then be leveraged to trigger CVE-2025-4428 — a remote code execution vulnerability through template injection. This sequence enables unauthenticated remote code execution, significantly increasing the impact of exploitation.
FunkLocker Ransomware File Creation
Detects the creation of files with the ".funksec" extension, which is appended to encrypted files by the FunkLocker ransomware.
Amsi.DLL Load By Uncommon Process
Detects loading of Amsi.dll by uncommon processes
Process Terminated Via Taskkill
Detects execution of "taskkill.exe" in order to stop a service or a process. Look for suspicious parents executing this command in order to hunt for potential malicious activity. Attackers might leverage this in order to conduct data destruction or data encrypted for impact on the data stores of services like Exchange and SQL Server.