Sigma Rules
3,332 rules found
LSASS Dump Keyword In CommandLine
Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process.
Potential File Download Via MS-AppInstaller Protocol Handler
Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE The downloaded files are temporarly stored in ":\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\<RANDOM-8-CHAR-DIRECTORY>"
Suspicious Network Command
Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
Suspicious Scan Loop Network
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system
Potential Network Sniffing Activity Using Network Tools
Detects potential network sniffing via use of network tools such as "tshark", "windump". Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Process Launched Without Image Name
Detect the use of processes with no name (".exe"), which can be used to evade Image-based detections.
Execution of Suspicious File Type Extension
Detects whether the image specified in a process creation event doesn't refer to an ".exe" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox methods to start a process. This rule might require some initial baselining to align with some third party tooling in the user environment.
Non-privileged Usage of Reg or Powershell
Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry
Suspicious Process Patterns NTDS.DIT Exfil
Detects suspicious process patterns used in NTDS.DIT exfiltration
Potentially Suspicious Call To Win32_NTEventlogFile Class
Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script
Use Short Name Path in Image
Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection
Use NTFS Short Name in Command Line
Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection
Use NTFS Short Name in Image
Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection
Obfuscated IP Download Activity
Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command
Obfuscated IP Via CLI
Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line
Suspicious Process Parents
Detects suspicious parent processes that should not have any children or should only have a single possible child program
Potential PowerShell Execution Via DLL
Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll. This detection assumes that PowerShell commands are passed via the CommandLine.
Privilege Escalation via Named Pipe Impersonation
Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.
Private Keys Reconnaissance Via CommandLine Tools
Adversaries may search for private key certificate files on compromised systems for insecurely stored credential
Suspicious RunAs-Like Flag Combination
Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools
Windows Processes Suspicious Parent Directory
Detect suspicious parent processes of well-known Windows processes
Suspicious Program Names
Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools
Recon Information for Export with Command Prompt
Once established within a system or network, an adversary may use automated techniques for collecting internal data.
Suspicious Process Execution From Fake Recycle.Bin Folder
Detects process execution from a fake recycle bin folder, often used to avoid security solution.
Suspicious Redirection to Local Admin Share
Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers
Registry Modification of MS-settings Protocol Handler
Detects registry modifications to the 'ms-settings' protocol handler, which is frequently targeted for UAC bypass or persistence. Attackers can modify this registry to execute malicious code with elevated privileges by hijacking the command execution path.
Potential Remote Desktop Tunneling
Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.
Potential Defense Evasion Via Right-to-Left Override
Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. This character is used as an obfuscation and masquerading techniques by adversaries to trick users into opening malicious files.
Script Interpreter Execution From Suspicious Folder
Detects a suspicious script execution in temporary folders or folders accessible by environment variables
Suspicious Script Execution From Temp Folder
Detects a suspicious script executions from temporary folder
Sensitive File Access Via Volume Shadow Copy Backup
Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit)
Suspicious New Service Creation
Detects creation of a new service via "sc" command or the powershell "new-service" cmdlet with suspicious binary paths
Suspicious Service Binary Directory
Detects a service binary running in a suspicious directory
Suspicious Windows Service Tampering
Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts
Shadow Copies Creation Using Operating Systems Utilities
Shadow Copies creation using operating systems utilities, possible credential access
Windows Shell/Scripting Processes Spawning Suspicious Programs
Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.
Process Creation Using Sysnative Folder
Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)
System File Execution Location Anomaly
Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.
Suspicious SYSTEM User Process Creation
Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
Suspicious SYSVOL Domain Group Policy Access
Detects Access to Domain Group Policies stored in SYSVOL
Tasks Folder Evasion
The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr
Malicious Windows Script Components File Execution by TAEF Detection
Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe
Malicious PE Execution by Microsoft Visual Studio Debugger
There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger. This option may be used adversaries to execute malicious code by signed verified binary. The debugger is installed alongside with Microsoft Visual Studio package.
Suspicious Userinit Child Process
Detects a suspicious child process of userinit
Weak or Abused Passwords In CLI
Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline
Usage Of Web Request Commands And Cmdlets
Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine
WhoAmI as Parameter
Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)
Execution via WorkFolders.exe
Detects using WorkFolders.exe to execute an arbitrary control.exe