Sigma Rules
3,116 rules found for "sigma"
PUA - Chisel Tunneling Tool Execution
Detects usage of the Chisel tunneling tool via the commandline arguments
PUA - CleanWipe Execution
Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.
PUA - Crassus Execution
Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics.
PUA - CsExec Execution
Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative
PUA - DefenderCheck Execution
Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.
PUA - DIT Snapshot Viewer
Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.
PUA - Fast Reverse Proxy (FRP) Execution
Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.
PUA- IOX Tunneling Tool Execution
Detects the use of IOX - a tool for port forwarding and intranet proxy purposes
PUA - Kernel Driver Utility (KDU) Execution
Detects execution of the Kernel Driver Utility (KDU) tool. KDU can be used to bypass driver signature enforcement and load unsigned or malicious drivers into the Windows kernel. Potentially allowing for privilege escalation, persistence, or evasion of security controls.
PUA - Mouse Lock Execution
In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.
PUA - Netcat Suspicious Execution
Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
PUA - SoftPerfect Netscan Execution
Detects usage of SoftPerfect's "netscan.exe". An application for scanning networks. It is actively used in-the-wild by threat actors to inspect and understand the network architecture of a victim.
PUA - Ngrok Execution
Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available. Involved domains are bin.equinox.io for download and *.ngrok.io for connections.
PUA - Nimgrab Execution
Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.
PUA - NimScan Execution
Detects usage of NimScan, a portscanner utility. In early 2025, adversaries were observed using this utility to scan for open ports on remote hosts in a compromised environment. This rule identifies the execution of NimScan based on the process image name and specific hash values associated with different versions of the tool.
PUA - NirCmd Execution
Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity
PUA - NirCmd Execution As LOCAL SYSTEM
Detects the use of NirCmd tool for command execution as SYSTEM user
PUA - Nmap/Zenmap Execution
Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation
PUA - NPS Tunneling Tool Execution
Detects the use of NPS, a port forwarding and intranet penetration proxy server
PUA - NSudo Execution
Detects the use of NSudo tool for command execution
PUA - PingCastle Execution
Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level.
PUA - PingCastle Execution From Potentially Suspicious Parent
Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level via a script located in a potentially suspicious or uncommon location.
PUA - Process Hacker Execution
Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc). Process Hacker is a tool to view and manipulate processes, kernel options and other low level options. Threat actors abused older vulnerable versions to manipulate system processes.
PUA - Radmin Viewer Utility Execution
Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines
PUA - Potential PE Metadata Tamper Using Rcedit
Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.
PUA - Rclone Execution
Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc
PUA - Restic Backup Tool Execution
Detects the execution of the Restic backup tool, which can be used for data exfiltration. Threat actors may leverage Restic to back up and exfiltrate sensitive data to remote storage locations, including cloud services. If not legitimately used in the enterprise environment, its presence may indicate malicious activity.
PUA - RunXCmd Execution
Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts
PUA - Seatbelt Execution
Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters
PUA - System Informer Execution
Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations
PUA - TruffleHog Execution
Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously. While it is a legitimate tool, intended for use in CI pipelines and security assessments, It was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information.
PUA - WebBrowserPassView Execution
Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera
PUA - Wsudo Suspicious Execution
Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)
PUA - Adidnsdump Execution
This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed, Usee to Query/modify DNS records for Active Directory integrated DNS via LDAP
Python Inline Command Execution
Detects execution of python using the "-c" flag. This is could be used as a way to launch a reverse shell or execute live python code.
Python Spawning Pretty TTY on Windows
Detects python spawning a pretty tty
Potentially Suspicious Usage Of Qemu
Detects potentially suspicious execution of the Qemu utility in a Windows environment. Threat actors have leveraged this utility and this technique for achieving network access as reported by Kaspersky.
Query Usage To Exfil Data
Detects usage of "query.exe" a system binary to exfil information such as "sessions" and "processes" for later use
QuickAssist Execution
Detects the execution of Microsoft Quick Assist tool "QuickAssist.exe". This utility can be used by attackers to gain remote access.
Files Added To An Archive Using Rar.EXE
Detects usage of "rar" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
Rar Usage with Password and Compression Level
Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.
Suspicious Greedy Compression Using Rar.EXE
Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes
Suspicious RASdial Activity
Detects suspicious process related to rasdial.exe
RDP Enable or Disable via Win32_TerminalServiceSetting WMI Class
Detects enabling or disabling of Remote Desktop Protocol (RDP) using alternate methods such as WMIC or PowerShell. In PowerShell one-liner commands, the "SetAllowTSConnections" method of the "Win32_TerminalServiceSetting" class may be used to enable or disable RDP. In WMIC, the "rdtoggle" alias or "Win32_TerminalServiceSetting" class may be used for the same purpose.
Process Memory Dump via RdrLeakDiag.EXE
Detects the use of the Microsoft Windows Resource Leak Diagnostic tool "rdrleakdiag.exe" to dump process memory
Windows Recovery Environment Disabled Via Reagentc
Detects attempts to disable windows recovery environment using Reagentc. ReAgentc.exe is a command-line tool in Windows used to manage the Windows Recovery Environment (WinRE). It allows users to enable, disable, and configure WinRE, which is used for troubleshooting and repairing common boot issues.
Potential Persistence Attempt Via Run Keys Using Reg.EXE
Detects suspicious command line reg.exe tool adding key to RUN key in Registry
Add SafeBoot Keys Via Reg Utility
Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not