Sigma Rules
3,332 rules found
Clipboard Data Collection Via Pbpaste
Detects execution of the "pbpaste" utility, which retrieves the contents of the clipboard (a.k.a. pasteboard) and writes them to the standard output (stdout). The utility is often used for creating new files with the clipboard content or for piping clipboard contents to other commands. It can also be used in shell scripts that may require clipboard content as input. Attackers can abuse this utility in order to collect data from the user clipboard, which may contain passwords or sensitive information. Use this rule to hunt for potential abuse of the utility by looking at the parent process and any potentially suspicious command line content.
.Class Extension URI Ending Request
Detects requests to URI ending with the ".class" extension in proxy logs. This could rules can be used to hunt for potential downloads of Java classes as seen for example in Log4shell exploitation attacks against Log4j.
Firewall Rule Modified In The Windows Firewall Exception List
Detects when a rule has been modified in the Windows firewall exception list
Potential Remote WMI ActiveScriptEventConsumers Activity
Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network. This event is best correlated and used as an enrichment to determine the potential lateral movement activity.
Access To Browser Credential Files By Uncommon Applications - Security
Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing This rule requires heavy baselining before usage.
Scheduled Task Deletion
Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \TASKNAME
CreateRemoteThread API and LoadLibrary
Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process
Remote Thread Creation Via PowerShell
Detects the creation of a remote thread from a Powershell process to another process
Remote Thread Created In Shell Application
Detects remote thread creation in command shell applications, such as "Cmd.EXE" and "PowerShell.EXE". It is a common technique used by malware, such as IcedID, to inject malicious code and execute it within legitimate processes.
Access To Chromium Browsers Sensitive Files By Uncommon Applications
Detects file access requests to chromium based browser sensitive files by uncommon processes. Could indicate potential attempt of stealing sensitive information.
Access To Browser Credential Files By Uncommon Applications
Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing. Requires heavy baselining before usage
Access To Windows Outlook Mail Files By Uncommon Applications
Detects file access requests to Windows Outlook Mail by uncommon processes. Could indicate potential attempt of credential stealing. Requires heavy baselining before usage
Access To Sysvol Policies Share By Uncommon Process
Detects file access requests to the Windows Sysvol Policies Share by uncommon processes
Access To .Reg/.Hive Files By Uncommon Applications
Detects file access requests to files ending with either the ".hive"/".reg" extension, usually associated with Windows Registry backups.
Unattend.XML File Access Attempt
Detects attempts to access the "unattend.xml" file, where credentials might be stored. This file is used during the unattended windows install process.
File Creation Date Changed to Another Year
Detects when the file creation time is changed to a year before 2020. Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system. Note that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity. In order to use this rule in production, it is recommended first baseline normal behavior in your environment and then tune the rule accordingly. Hunting Recommendation: Focus on files with creation times set to years significantly before the current date, especially those in user-writable directories. Correlate with process execution logs to identify the source of the modification and investigate any unsigned or suspicious binaries involved.
ADS Zone.Identifier Deleted
Detects the deletion of the "Zone.Identifier" ADS. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.
DMP/HDMP File Creation
Detects the creation of a file with the ".dmp"/".hdmp" extension. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash.
PFX File Creation
Detects the creation of PFX files (Personal Information Exchange format). PFX files contain private keys and certificates bundled together, making them valuable targets for attackers seeking to: - Exfiltrate digital certificates for impersonation or signing malicious code - Establish persistent access through certificate-based authentication - Bypass security controls that rely on certificate validation Analysts should investigate PFX file creation events by examining which process created the PFX file and its parent process chain, as well as unusual locations outside standard certificate stores or development environments.
Python Path Configuration File Creation - Windows
Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence. Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script. Default paths are '\lib\site-packages\*.pth' (Windows) and '/lib/pythonX.Y/site-packages/*.pth' (Unix and macOS).
Scheduled Task Created - FileCreation
Detects the creation of a scheduled task via file creation.
Creation of an Executable by an Executable
Detects the creation of an executable by another executable.
VsCode Code Tunnel Execution File Indicator
Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility. Attackers can abuse this functionality to establish a C2 channel
WebDAV Temporary Local File Creation
Detects the creation of WebDAV temporary files with potentially suspicious extensions
Non-DLL Extension File Renamed With DLL Extension
Detects rename operations of files with non-DLL extensions to files with a DLL extension. This is often performed by malware in order to avoid initial detections based on extensions.
Amsi.DLL Load By Uncommon Process
Detects loading of Amsi.dll by uncommon processes
Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process
Detects the load of dbghelp/dbgcore DLL by a potentially uncommon or potentially suspicious process. The Dbghelp and Dbgcore DLLs export functions that allow for the dump of process memory. Tools like ProcessHacker, Task Manager and some attacker tradecraft use the MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. Keep in mind that many legitimate Windows processes and services might load the aforementioned DLLs for debugging or other related purposes. Investigate the CommandLine and the Image location of the process loading the DLL.
System Drawing DLL Load
Detects processes loading "System.Drawing.ni.dll". This could be an indicator of potential Screen Capture.
Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location
Detects the loading of the "taskschd.dll" module from a process that located in a potentially suspicious or uncommon directory. The loading of this DLL might indicate that the application have the capability to create a scheduled task via the "Schedule.Service" COM object. Investigation of the loading application and its behavior is required to determining if its malicious.
Microsoft Excel Add-In Loaded
Detects Microsoft Excel loading an Add-In (.xll) file
Microsoft Word Add-In Loaded
Detects Microsoft Word loading an Add-In (.wll) file which can be used by threat actors for initial access or persistence.
WMI Module Loaded By Uncommon Process
Detects WMI modules being loaded by an uncommon process
Dfsvc.EXE Network Connection To Non-Local IPs
Detects network connections from "dfsvc.exe" used to handled ClickOnce applications to non-local IPs
Dfsvc.EXE Initiated Network Connection Over Uncommon Port
Detects an initiated network connection over uncommon ports from "dfsvc.exe". A utility used to handled ClickOnce applications.
Dllhost.EXE Initiated Network Connection To Non-Local IP Address
Detects Dllhost.EXE initiating a network connection to a non-local IP address. Aside from Microsoft own IP range that needs to be excluded. Network communication from Dllhost will depend entirely on the hosted DLL. An initial baseline is recommended before deployment.
HH.EXE Initiated HTTP Network Connection
Detects a network connection initiated by the "hh.exe" process to HTTP destination ports, which could indicate the execution/download of remotely hosted .chm files.
Msiexec.EXE Initiated Network Connection Over HTTP
Detects a network connection initiated by an "Msiexec.exe" process over port 80 or 443. Adversaries might abuse "msiexec.exe" to install and execute remotely hosted packages. Use this rule to hunt for potentially anomalous or suspicious communications.
Network Connection Initiated By PowerShell Process
Detects a network connection that was initiated from a PowerShell process. Often times malicious powershell scripts download additional payloads or communicate back to command and control channels via uncommon ports or IPs. Use this rule as a basis for hunting for anomalies.
Potentially Suspicious Azure Front Door Connection
Detects connections with Azure Front Door (known legitimate service that can be leveraged for C2) that fall outside of known benign behavioral baseline (not using common apps or common azurefd.net endpoints)
Network Connection Initiated From Users\Public Folder
Detects a network connection initiated from a process located in the "C:\Users\Public" folder. Attacker are known to drop their malicious payloads and malware in this directory as its writable by everyone. Use this rule to hunt for potential suspicious or uncommon activity in your environement.
PsExec Default Named Pipe
Detects PsExec service default pipe creation
Uncommon PowerShell Hosts
Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
bXOR Operator Usage In PowerShell Command Line - PowerShell Classic
Detects powershell execution with that make use of to the bxor (Bitwise XOR). Attackers might use as an alternative obfuscation method to Base64 encoded commands. Investigate the CommandLine and process tree to determine if the activity is malicious.
Local Firewall Rules Enumeration Via NetFirewallRule Cmdlet
Detects execution of "Get-NetFirewallRule" or "Show-NetFirewallRule" to enumerate the local firewall rules on a host.
Compress-Archive Cmdlet Execution
Detects PowerShell scripts that make use of the "Compress-Archive" cmdlet in order to compress folders and files. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
Windows Mail App Mailbox Access Via PowerShell Script
Detects PowerShell scripts that try to access the default Windows MailApp MailBox. This indicates manipulation of or access to the stored emails of a user. E.g. this could be used by an attacker to exfiltrate or delete the content of the emails.
New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock
Detects when a powershell script contains calls to the "New-NetFirewallRule" cmdlet in order to add a new firewall rule with an "Allow" action.
SMB over QUIC Via PowerShell Script
Detects the mounting of Windows SMB shares over QUIC, which can be an unexpected event in some enterprise environments