Sigma Rules
1,478 rules found for "execution"
Malicious DLL File Dropped in the Teams or OneDrive Folder
Detects creation of a malicious DLL file in the location where the OneDrive or Team applications Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded
Adwind RAT / JRAT File Artifact
Detects javaw.exe in AppData folder as used by Adwind / JRAT
Suspicious File Creation In Uncommon AppData Folder
Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs
File With Uncommon Extension Created By An Office Application
Detects the creation of files with an executable or script extension by an Office application.
PCRE.NET Package Temp Files
Detects processes creating temp files related to PCRE.NET package
Suspicious File Created In PerfLogs
Detects suspicious file based on their extension being created in "C:\PerfLogs\". Note that this directory mostly contains ".etl" files
Malicious PowerShell Scripts - FileCreation
Detects the creation of known offensive powershell scripts used for exploitation
RemCom Service File Creation
Detects default RemCom service filename which indicates RemCom service installation and execution
Remote Access Tool - ScreenConnect Temporary File
Detects the creation of files in a specific location by ScreenConnect RMM. ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to ":\Users\<username>\Documents\ConnectWiseControl\Temp\" before execution.
Windows Shell/Scripting Application File Write to Suspicious Folder
Detects Windows shells and scripting applications that write files to suspicious folders
Created Files by Microsoft Sync Center
This rule detects suspicious files created by Microsoft Sync Center (mobsync)
Suspicious Get-Variable.exe Creation
Get-Variable is a valid PowerShell cmdlet WindowsApps is by default in the path where PowerShell is executed. So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.
Legitimate Application Writing Files In Uncommon Location
Detects legitimate applications writing any type of file to uncommon or suspicious locations that are not typical for application data storage or execution. Adversaries may leverage legitimate applications (Living off the Land Binaries - LOLBins) to drop or download malicious files to uncommon locations on the system to evade detection by security solutions.
Suspicious Binaries and Scripts in Public Folder
Detects the creation of a file with a suspicious extension in the public folder, which could indicate potential malicious activity.
Potential File Extension Spoofing Using Right-to-Left Override
Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.
Suspicious Startup Folder Persistence
Detects the creation of potentially malicious script and executable files in Windows startup folders, which is a common persistence technique used by threat actors. These files (.ps1, .vbs, .js, .bat, etc.) are automatically executed when a user logs in, making the Startup folder an attractive target for attackers. This technique is frequently observed in malvertising campaigns and malware distribution where attackers attempt to maintain long-term access to compromised systems.
Suspicious Interactive PowerShell as SYSTEM
Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context
Suspicious Scheduled Task Write to System32 Tasks
Detects the creation of tasks from processes executed from suspicious locations
WinSxS Executable File Creation By Non-System Process
Detects the creation of binaries in the WinSxS folder by non-system processes
PsExec Service File Creation
Detects default PsExec service filename which indicates PsExec service installation and execution
PSEXEC Remote Execution File Artefact
Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system
UAC Bypass Using IDiagnostic Profile - File
Detects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique
Renamed VsCode Code Tunnel Execution - File Indicator
Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility by an "Image" or "Process" other than VsCode.
AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File
Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)
Wmiexec Default Output File
Detects the creation of the default output filename used by the wmiexec tool
Wmiprvse Wbemcomn DLL Hijack - File
Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
Clfs.SYS Loaded By Process Located In a Potential Suspicious Location
Detects Clfs.sys being loaded by a process running from a potentially suspicious location. Clfs.sys is loaded as part of many CVEs exploits that targets Common Log File.
DLL Loaded From Suspicious Location Via Cmspt.EXE
Detects cmstp loading "dll" or "ocx" files from suspicious locations
PCRE.NET Package Image Load
Detects processes loading modules related to PCRE.NET package
PowerShell Core DLL Loaded By Non PowerShell Process
Detects loading of essential DLLs used by PowerShell by non-PowerShell process. Detects behavior similar to meterpreter's "load powershell" extension.
Unsigned .node File Loaded
Detects the loading of unsigned .node files. Adversaries may abuse a lack of .node integrity checking to execute arbitrary code inside of trusted applications such as Slack. .node files are native add-ons for Electron-based applications, which are commonly used for desktop applications like Slack, Discord, and Visual Studio Code. This technique has been observed in the DripLoader malware, which uses unsigned .node files to load malicious native code into Electron applications.
DotNET Assembly DLL Loaded Via Office Application
Detects any assembly DLL being loaded by an Office Product
CLR DLL Loaded Via Office Applications
Detects CLR DLL being loaded by an Office Product
GAC DLL Loaded Via Office Applications
Detects any GAC DLL being loaded by an Office Product
Microsoft Excel Add-In Loaded From Uncommon Location
Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location
Microsoft VBA For Outlook Addin Loaded Via Outlook
Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process
VBA DLL Loaded Via Office Application
Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.
Remote DLL Load Via Rundll32.EXE
Detects a remote DLL load event via "rundll32.exe".
Abusable DLL Potential Sideloading From Suspicious Location
Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations
Potential Mfdetours.DLL Sideloading
Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
Unsigned Mfdetours.DLL Sideloading
Detects DLL sideloading of unsigned "mfdetours.dll". Executing "mftrace.exe" can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
Potential DLL Sideloading Of Non-Existent DLLs From System Folders
Detects loading of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes, potentially indicating phantom DLL hijacking attempts. Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs.
Unsigned Module Loaded by ClickOnce Application
Detects unsigned module load by ClickOnce application.
Python Image Load By Non-Python Process
Detects the image load of "Python Core" by a non-Python process. This might be indicative of a execution of executable that has been bundled from Python code. Various tools like Py2Exe, PyInstaller, and cx_Freeze are used to bundle Python code into standalone executables. Threat actors often use these tools to bundle malicious Python scripts into executables, sometimes to obfuscate the code or to bypass security measures.
DotNet CLR DLL Loaded By Scripting Applications
Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.
Unsigned DLL Loaded by Windows Utility
Detects windows utilities loading an unsigned or untrusted DLL. Adversaries often abuse those programs to proxy execution of malicious code.
Suspicious Unsigned Thor Scanner Execution
Detects loading and execution of an unsigned thor scanner binary.
MMC Loading Script Engines DLLs
Detects when the Microsoft Management Console (MMC) loads the DLL libraries like vbscript, jscript etc which might indicate an attempt to execute malicious scripts within a trusted system process for bypassing application whitelisting or defense evasion.