Sigma Rules
254 rules found for "attack.T1218"
Windows Shell/Scripting Processes Spawning Suspicious Programs
Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.
Malicious Windows Script Components File Execution by TAEF Detection
Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe
Malicious PE Execution by Microsoft Visual Studio Debugger
There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger. This option may be used adversaries to execute malicious code by signed verified binary. The debugger is installed alongside with Microsoft Visual Studio package.
Execution via WorkFolders.exe
Detects using WorkFolders.exe to execute an arbitrary control.exe
Potential Binary Impersonating Sysinternals Tools
Detects binaries that use the same name as legitimate sysinternals tools to evade detection. This rule looks for the execution of binaries that are named similarly to Sysinternals tools. Adversary may rename their malicious tools as legitimate Sysinternals tools to evade detection.
Bypass UAC via CMSTP
Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files
CMSTP UAC Bypass via COM Object Access
Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)
Verclsid.exe Runs COM Object
Detects when verclsid.exe is used to run COM object via GUID
Potentially Suspicious Child Process Of VsCode
Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.
Potential Binary Proxy Execution Via VSDiagnostics.EXE
Detects execution of "VSDiagnostics.exe" with the "start" command in order to launch and proxy arbitrary binaries.
Suspicious Vsls-Agent Command With AgentExtensionPath Load
Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter
Winrs Local Command Execution
Detects the execution of Winrs.exe where it is used to execute commands locally. Commands executed this way are launched under Winrshost.exe and can represent proxy execution used for defense evasion or lateral movement.
Wlrmdr.EXE Uncommon Argument Or Child Process
Detects the execution of "Wlrmdr.exe" with the "-u" command line flag which allows anything passed to it to be an argument of the ShellExecute API, which would allow an attacker to execute arbitrary binaries. This detection also focuses on any uncommon child processes spawned from "Wlrmdr.exe" as a supplement for those that posses "ParentImage" telemetry.
Suspicious WMIC Execution Via Office Process
Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).
Suspicious WmiPrvSE Child Process
Detects suspicious and uncommon child processes of WmiPrvSE
WSL Child Process Anomaly
Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL
Proxy Execution Via Wuauclt.EXE
Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution.
COM Object Execution via Xwizard.EXE
Detects the execution of Xwizard tool with the "RunWizard" flag and a GUID like argument. This utility can be abused in order to run custom COM object created in the registry.
CMSTP Execution Registry Event
Detects various indicators of Microsoft Connection Manager Profile Installer execution
Atbroker Registry Change
Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'
Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG
Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe".
ScreenSaver Registry Key Set
Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl
Execution DLL of Choice Using WAB.EXE
This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.
ZxShell Malware
Detects a ZxShell start by the called and well-known function name
Fireball Archer Install
Detects Archer malware invocation via rundll32
NotPetya Ransomware Activity
Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil
Sofacy Trojan Loader Activity
Detects Trojan loader activity as used by APT28
APT29 2018 Phishing Campaign File Indicators
Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant
APT29 2018 Phishing Campaign CommandLine Indicators
Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant
Potential Baby Shark Malware Activity
Detects activity that could be related to Baby Shark malware
Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32
Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local
Potential EmpireMonkey Activity
Detects potential EmpireMonkey APT activity
Equation Group DLL_U Export Function Load
Detects a specific export function name used by one of EquationGroup tools
Potential Emotet Rundll32 Execution
Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL
EvilNum APT Golden Chickens Deployment Via OCX Files
Detects Golden Chickens deployment method as used by Evilnum and described in ESET July 2020 report
Potential Devil Bait Malware Reconnaissance
Detects specific process behavior observed with Devil Bait samples
Potential Bumblebee Remote Thread Creation
Detects remote thread injection events based on action seen used by bumblebee
IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32
Detects RunDLL32.exe executing a single digit DLL named "1.dll" with the export function "DllRegisterServer". This behaviour was often seen used by malware and especially IcedID
Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE
Detects the execution of concatenated commands via "cmd.exe". Pikabot often executes a combination of multiple commands via the command handler "cmd /c" in order to download and execute additional payloads. Commands such as "curl", "wget" in order to download extra payloads. "ping" and "timeout" are abused to introduce delays in the command execution and "Rundll32" is also used to execute malicious DLL files. In the observed Pikabot infections, a combination of the commands described above are used to orchestrate the download and execution of malicious DLL files.
Rhadamanthys Stealer Module Launch Via Rundll32.EXE
Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023
Potential Compromised 3CXDesktopApp Execution
Detects execution of known compromised version of 3CXDesktopApp
Potential Suspicious Child Process Of 3CXDesktopApp
Detects potential suspicious child processes of "3CXDesktopApp.exe". Which could be related to the 3CXDesktopApp supply chain compromise
Potential Compromised 3CXDesktopApp Update Activity
Detects the 3CXDesktopApp updater downloading a known compromised version of the 3CXDesktopApp software
Kapeka Backdoor Loaded Via Rundll32.EXE
Detects the Kapeka Backdoor binary being loaded by rundll32.exe. The Kapeka loader drops a backdoor, which is a DLL with the '.wll' extension masquerading as a Microsoft Word Add-In.
Kapeka Backdoor Execution Via RunDLL32.EXE
Detects Kapeka backdoor process execution pattern, where the dropper launch the backdoor binary by calling rundll32 and passing the backdoor's first export ordinal (#1) with a "-d" argument.
Potential Raspberry Robin CPL Execution Activity
Detects the execution of a ".CPL" file located in the user temp directory via the Shell32 DLL "Control_RunDLL" export function. This behavior was observed in multiple Raspberry-Robin variants.
Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load
Detects potential exploitation of remote code execution vulnerability CVE-2025-33053 by monitoring suspicious image loads from WebDAV paths. The exploit involves malicious executables from attacker-controlled WebDAV servers loading the Windows system DLLs like gdi32.dll, netapi32.dll, etc.
Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Process Access
Detects potential exploitation of remote code execution vulnerability CVE-2025-33053 by looking for process access that involves legitimate Windows executables (iediagcmd.exe, CustomShellHost.exe) accessing suspicious executables hosted on WebDAV shares. This indicates an attacker may be exploiting Process.Start() search order manipulation to execute malicious code from attacker-controlled WebDAV servers instead of legitimate system binaries. The vulnerability allows unauthorized code execution through external control of file names or paths via WebDAV.