Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

1,478 rules found for "execution"

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionhightest

Local Privilege Escalation Indicator TabTip

Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode

Windowssystem
TA0009 · CollectionTA0002 · ExecutionTA0006 · Credential AccessT1557.001 · LLMNR/NBT-NS Poisoning and SMB Relay
Florian Roth (Nextron Systems)Fri Oct 07windows
Detectionmediumtest

Eventlog Cleared

One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution

Windowssystem
TA0005 · Defense EvasionT1070.001 · Clear Windows Event Logs2016-04-002 · CAR 2016-04-002
Florian Roth (Nextron Systems)Tue Jan 10windows
Detectionhightest

Important Windows Eventlog Cleared

Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution

Windowssystem
TA0005 · Defense EvasionT1070.001 · Clear Windows Event Logs2016-04-002 · CAR 2016-04-002
Florian Roth (Nextron Systems)+2Tue May 17windows
Detectionmediumexperimental

ISATAP Router Address Was Set

Detects the configuration of a new ISATAP router on a Windows host. While ISATAP is a legitimate Microsoft technology for IPv6 transition, unexpected or unauthorized ISATAP router configurations could indicate a potential IPv6 DNS Takeover attack using tools like mitm6. In such attacks, adversaries advertise themselves as DHCPv6 servers and set malicious ISATAP routers to intercept traffic. This detection should be correlated with network baselines and known legitimate ISATAP deployments in your environment.

Windowssystem
TA0040 · ImpactTA0006 · Credential AccessTA0009 · CollectionTA0001 · Initial Access+4
hamidSun Oct 19windows
Detectioncriticaltest

CobaltStrike Service Installations - System

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement

Windowssystem
TA0003 · PersistenceTA0002 · ExecutionTA0004 · Privilege EscalationTA0008 · Lateral Movement+3
Florian Roth (Nextron Systems)+1Wed May 26windows
Detectionhightest

smbexec.py Service Installation

Detects the use of smbexec.py tool by detecting a specific service installation

Windowssystem
TA0008 · Lateral MovementTA0002 · ExecutionT1021.002 · SMB/Windows Admin SharesT1569.002 · Service Execution
Omer Faruk CelikTue Mar 20windows
Detectionhightest

Invoke-Obfuscation CLIP+ Launcher - System

Detects Obfuscated use of Clip.exe to execute PowerShell

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Jonathan Cheong+1Tue Oct 13windows
Detectionhightest

Invoke-Obfuscation STDIN+ Launcher - System

Detects Obfuscated use of stdin to execute PowerShell

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Jonathan Cheong+1Thu Oct 15windows
Detectionhightest

Invoke-Obfuscation VAR+ Launcher - System

Detects Obfuscated use of Environment Variables to execute PowerShell

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Jonathan Cheong+1Thu Oct 15windows
Detectionmediumtest

Invoke-Obfuscation COMPRESS OBFUSCATION - System

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Timur Zinniatullin+1Sun Oct 18windows
Detectionmediumtest

Invoke-Obfuscation RUNDLL LAUNCHER - System

Detects Obfuscated Powershell via RUNDLL LAUNCHER

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Timur Zinniatullin+1Sun Oct 18windows
Detectionhightest

Invoke-Obfuscation Via Stdin - System

Detects Obfuscated Powershell via Stdin in Scripts

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Mon Oct 12windows
Detectionhightest

Invoke-Obfuscation Via Use Clip - System

Detects Obfuscated Powershell via use Clip.exe in Scripts

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Fri Oct 09windows
Detectionhightest

Invoke-Obfuscation Via Use MSHTA - System

Detects Obfuscated Powershell via use MSHTA in Scripts

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Fri Oct 09windows
Detectionhightest

Invoke-Obfuscation Via Use Rundll32 - System

Detects Obfuscated Powershell via use Rundll32 in Scripts

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Fri Oct 09windows
Detectionhightest

Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System

Detects Obfuscated Powershell via VAR++ LAUNCHER

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Timur Zinniatullin+1Tue Oct 13windows
Detectionhightest

Credential Dumping Tools Service Execution - System

Detects well-known credential dumping tools execution via service execution events

Windowssystem
TA0006 · Credential AccessTA0002 · ExecutionT1003.001 · LSASS MemoryT1003.002 · Security Account Manager+5
Florian Roth (Nextron Systems)+3Sun Mar 05windows
Detectionhightest

PowerShell Scripts Installed as Services

Detects powershell script installed as a Service

Windowssystem
TA0002 · ExecutionT1569.002 · Service Execution
oscd.community+1Tue Oct 06windows
Detectionmediumtest

CSExec Service Installation

Detects CSExec service installation and execution events

Windowssystem
TA0002 · ExecutionT1569.002 · Service Execution
Nasreddine Bencherchali (Nextron Systems)Mon Aug 07windows
Detectionhightest

HackTool Service Registration or Execution

Detects installation or execution of services

Windowssystem
TA0002 · ExecutionT1569.002 · Service ExecutionS0029 · S0029
Florian Roth (Nextron Systems)Mon Mar 21windows
Detectionmediumtest

PAExec Service Installation

Detects PAExec service installation

Windowssystem
TA0002 · ExecutionT1569.002 · Service Execution
Nasreddine Bencherchali (Nextron Systems)Wed Oct 26windows
Detectionhightest

ProcessHacker Privilege Elevation

Detects a ProcessHacker tool that elevated privileges to a very high level

Windowssystem
TA0003 · PersistenceTA0002 · ExecutionTA0004 · Privilege EscalationT1543.003 · Windows Service+1
Florian Roth (Nextron Systems)Thu May 27windows
Detectionmediumtest

RemCom Service Installation

Detects RemCom service installation and execution events

Windowssystem
TA0002 · ExecutionT1569.002 · Service Execution
Nasreddine Bencherchali (Nextron Systems)Mon Aug 07windows
Detectionmediumtest

Remote Access Tool Services Have Been Installed - System

Detects service installation of different remote access tools software. These software are often abused by threat actors to perform

Windowssystem
TA0004 · Privilege EscalationTA0003 · PersistenceTA0002 · ExecutionT1543.003 · Windows Service+1
Connor Martin+1Fri Dec 23windows
Detectionhightest

Sliver C2 Default Service Installation

Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands

Windowssystem
TA0003 · PersistenceTA0002 · ExecutionTA0004 · Privilege EscalationT1543.003 · Windows Service+1
Florian Roth (Nextron Systems)+1Thu Aug 25windows
Detectionmediumtest

PsExec Service Installation

Detects PsExec service installation and execution events

Windowssystem
TA0002 · ExecutionT1569.002 · Service ExecutionS0029 · S0029
Thomas PatzkeMon Jun 12windows
Detectionmediumtest

Scheduled Task Executed From A Suspicious Location

Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task

Windowstaskscheduler
TA0004 · Privilege EscalationTA0002 · ExecutionTA0003 · PersistenceT1053.005 · Scheduled Task
Nasreddine Bencherchali (Nextron Systems)Mon Dec 05windows
Detectionmediumtest

Scheduled Task Executed Uncommon LOLBIN

Detects the execution of Scheduled Tasks where the program being run is located in a suspicious location or where it is an unusual program to be run from a Scheduled Task

Windowstaskscheduler
TA0004 · Privilege EscalationTA0002 · ExecutionTA0003 · PersistenceT1053.005 · Scheduled Task
Nasreddine Bencherchali (Nextron Systems)Mon Dec 05windows
Detectionhightest

PSExec and WMI Process Creations Block

Detects blocking of process creations originating from PSExec and WMI commands

Windowswindefend
TA0002 · ExecutionTA0008 · Lateral MovementT1047 · Windows Management InstrumentationT1569.002 · Service Execution
Bhabesh RajTue Jul 14windows
Detectionhighstable

Windows Defender AMSI Trigger Detected

Detects triggering of AMSI by Windows Defender.

Windowswindefend
TA0002 · ExecutionT1059 · Command and Scripting Interpreter
Bhabesh RajMon Sep 14windows
Detectionhighstable

Windows Defender Threat Detected

Detects actions taken by Windows Defender malware detection engines

Windowswindefend
TA0002 · ExecutionT1059 · Command and Scripting Interpreter
Ján TrenčanskýTue Jul 28windows
Detectionhightest

HackTool - CACTUSTORCH Remote Thread Creation

Detects remote thread creation from CACTUSTORCH as described in references.

WindowsRemote Thread Creation
TA0004 · Privilege EscalationTA0005 · Defense EvasionTA0002 · ExecutionT1055.012 · Process Hollowing+3
Thomas PatzkeFri Feb 01windows
Detectionmediumtest

Remote Thread Creation Via PowerShell In Uncommon Target

Detects the creation of a remote thread from a Powershell process in an uncommon target process

WindowsRemote Thread Creation
TA0005 · Defense EvasionTA0002 · ExecutionT1218.011 · Rundll32T1059.001 · PowerShell
Florian Roth (Nextron Systems)Mon Jun 25windows
Detectionhighstable

Password Dumper Remote Thread in LSASS

Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.

WindowsRemote Thread Creation
TA0006 · Credential AccessS0005 · S0005T1003.001 · LSASS Memory
Thomas PatzkeSun Feb 19windows
Detectionhighexperimental

DNS Query by Finger Utility

Detects DNS queries made by the finger utility, which can be abused by threat actors to retrieve remote commands for execution on Windows devices. In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server. Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion. Investigating such DNS queries can also help identify potential malicious infrastructure used by threat actors for command and control (C2) communication.

WindowsDNS Query
TA0011 · Command and ControlT1071.004 · DNSTA0002 · ExecutionT1059.003 · Windows Command Shell
Swachchhanda Shrawan Poudel (Nextron Systems)Wed Nov 19windows
Detectionmediumtest

DNS Query Request By Regsvr32.EXE

Detects DNS queries initiated by "Regsvr32.exe"

WindowsDNS Query
TA0002 · ExecutionT1559.001 · Component Object ModelTA0005 · Defense EvasionT1218.010 · Regsvr32
Dmitriy Lifanov+1Fri Oct 25windows
Detectionmediumtest

DNS Query To Remote Access Software Domain From Non-Browser App

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

WindowsDNS Query
TA0011 · Command and Controlattack.t1219.002
François Hubaut+1Mon Jul 11windows
Detectionhightest

Unusual File Modification by dns.exe

Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)

WindowsFile Change
TA0003 · PersistenceTA0001 · Initial AccessT1133 · External Remote Services
Tim Rauch+1Tue Sep 27windows
Detectionhightest

Unusual File Deletion by Dns.exe

Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)

WindowsFile Delete
TA0003 · PersistenceTA0001 · Initial AccessT1133 · External Remote Services
Tim Rauch+1Tue Sep 27windows
Detectionmediumtest

Assembly DLL Creation Via AspNetCompiler

Detects the creation of new DLL assembly files by "aspnet_compiler.exe", which could be a sign of "aspnet_compiler" abuse to proxy execution through a build provider.

WindowsFile Event
TA0002 · Execution
Nasreddine Bencherchali (Nextron Systems)Mon Aug 14windows
Detectionhightest

BloodHound Collection Files

Detects default file names outputted by the BloodHound collection tool SharpHound

WindowsFile Event
TA0007 · DiscoveryT1087.001 · Local AccountT1087.002 · Domain AccountT1482 · Domain Trust Discovery+4
C.J. MayTue Aug 09windows
Detectionmediumtest

Creation Of Non-Existent System DLL

Detects creation of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes. Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs. Thus, the creation of such DLLs may indicate preparation for phantom DLL hijacking attacks.

WindowsFile Event
TA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
Nasreddine Bencherchali (Nextron Systems)+1Thu Dec 01windows
Detectionlowexperimental

Suspicious Deno File Written from Remote Source

Detects Deno writing a file from a direct HTTP(s) call and writing to the appdata folder or bringing it's own malicious DLL. This behavior may indicate an attempt to execute remotely hosted, potentially malicious files through deno.

WindowsFile Event
TA0002 · ExecutionT1204 · User ExecutionT1059.007 · JavaScriptTA0011 · Command and Control+1
Josh Nickels+1Thu May 22windows
Detectionhightest

WScript or CScript Dropper - File

Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe

WindowsFile Event
TA0002 · ExecutionT1059.005 · Visual BasicT1059.007 · JavaScript
Tim SheltonMon Jan 10windows
Detectionmediumtest

CSExec Service File Creation

Detects default CSExec service filename which indicates CSExec service installation and execution

WindowsFile Event
TA0002 · ExecutionT1569.002 · Service ExecutionS0029 · S0029
Nasreddine Bencherchali (Nextron Systems)Fri Aug 04windows
Detectionlowtest

Dynamic CSharp Compile Artefact

When C# is compiled dynamically, a .cmdline file will be created as a part of the process. Certain processes are not typically observed compiling C# code, but can do so without touching disk. This can be used to unpack a payload for execution

WindowsFile Event
TA0005 · Defense EvasionT1027.004 · Compile After Delivery
François HubautSun Jan 09windows
Detectioncriticaltest

HackTool - Inveigh Execution Artefacts

Detects the presence and execution of Inveigh via dropped artefacts

WindowsFile Event
TA0011 · Command and Controlattack.t1219.002
Nasreddine Bencherchali (Nextron Systems)Mon Oct 24windows
Detectionhightest

HackTool - Potential Remote Credential Dumping Activity Via CrackMapExec Or Impacket-Secretsdump

Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.

WindowsFile Event
TA0006 · Credential AccessT1003 · OS Credential Dumping
SecurityAuraWed Nov 16windows
145631