Sigma Rules
3,332 rules found
Potential Registry Reconnaissance Via PowerShell Script
Detects PowerShell scripts with potential registry reconnaissance capabilities. Adversaries may interact with the Windows registry to gather information about the system credentials, configuration, and installed software.
Use Of Remove-Item to Delete File - ScriptBlock
PowerShell Remove-Item with -Path to delete a file or a folder with "-Recurse"
Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet
Detects the execution of a PowerShell script with a call to the "Send-MailMessage" cmdlet along with the "-Attachments" flag. This could be a potential sign of data exfiltration via Email. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Powershell Token Obfuscation - Powershell
Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation in Powershell scripts. Use this rule as a threat-hunting baseline to find obfuscated scripts in your environment. Once tested and tuned, consider deploying a production detection rule based on this hunting rule.
WinAPI Library Calls Via PowerShell Scripts
Detects calls to WinAPI libraries from PowerShell scripts. Attackers can often leverage these APIs to avoid detection based on typical PowerShell function calls. Use this rule as a basis to hunt for interesting scripts.
WinAPI Function Calls Via PowerShell Scripts
Detects calls to WinAPI functions from PowerShell scripts. Attackers can often leverage these APIs to avoid detection based on typical PowerShell function calls. Use this rule as a basis to hunt for interesting scripts.
Potential Credential Dumping Attempt Via PowerShell
Detects a PowerShell process requesting access to "lsass.exe", which can be indicative of potential credential dumping attempts
LSASS Access From Program In Potentially Suspicious Folder
Detects process access to LSASS memory with suspicious access flags and from a potentially suspicious folder
Uncommon GrantedAccess Flags On LSASS
Detects process access to LSASS memory with uncommon access flags 0x410 and 0x01410
Potential Shellcode Injection
Detects potential shellcode injection as seen used by tools such as Metasploit's migrate and Empire's psinject.
Password Protected Compressed File Extraction Via 7Zip
Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract password protected zip files.
Set Files as System Files Using Attrib.EXE
Detects the execution of "attrib" with the "+s" flag to mark files as system files
Potential BOINC Software Execution (UC-Berkeley Signature)
Detects the use of software that is related to the University of California, Berkeley via metadata information. This indicates it may be related to BOINC software and can be used maliciously if unauthorized.
CMD Shell Output Redirect
Detects the use of the redirection character ">" to redirect information on the command line. This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration.
Potential File Override/Append Via SET Command
Detects the use of the "SET" internal command of Cmd.EXE with the /p flag followed directly by an "=" sign. Attackers used this technique along with an append redirection operator ">>" in order to update the content of a file indirectly. Ex: cmd /c >> example.txt set /p="test data". This will append "test data" to contents of "example.txt". The typical use case of the "set /p=" command is to prompt the user for input.
Headless Process Launched Via Conhost.EXE
Detects the launch of a child process via "conhost.exe" with the "--headless" flag. The "--headless" flag hides the windows from the user upon execution.
Dynamic .NET Compilation Via Csc.EXE - Hunting
Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.
File Download Via Curl.EXE
Detects file download using curl.exe
Curl.EXE Execution
Detects a curl process start on Windows, which could indicates a file download from a remote location or a simple web request to a remote server
Potential Data Exfiltration Via Curl.EXE
Detects the execution of the "curl" process with "upload" flags. Which might indicate potential data exfiltration
Curl.EXE Execution With Custom UserAgent
Detects execution of curl.exe with custom useragent options
ClickOnce Deployment Execution - Dfsvc.EXE Child Process
Detects child processes of "dfsvc" which indicates a ClickOnce deployment execution.
Diskshadow Child Process Spawned
Detects any child process spawning from "Diskshadow.exe". This could be due to executing Diskshadow in interpreter mode or script mode and using the "exec" flag to launch other applications.
Diskshadow Script Mode Execution
Detects execution of "Diskshadow.exe" in script mode using the "/s" flag. Attackers often abuse "diskshadow" to execute scripts that deleted the shadow copies on the systems. Investigate the content of the scripts and its location.
Potential Proxy Execution Via Explorer.EXE From Shell Process
Detects the creation of a child "explorer.exe" process from a shell like process such as "cmd.exe" or "powershell.exe". Attackers can use "explorer.exe" for evading defense mechanisms by proxying the execution through the latter. While this is often a legitimate action, this rule can be use to hunt for anomalies. Muddy Waters threat actor was seeing using this technique.
Potential DLL Sideloading Activity Via ExtExport.EXE
Detects the execution of "Extexport.exe".A utility that is part of the Internet Explorer browser and is used to export and import various settings and data, particularly when switching between Internet Explorer and other web browsers like Firefox. It allows users to transfer bookmarks, browsing history, and other preferences from Internet Explorer to Firefox or vice versa. It can be abused as a tool to side load any DLL. If a folder is provided in the command line it'll load any DLL with one of the following names "mozcrt19.dll", "mozsqlite3.dll", or "sqlite.dll". Arbitrary DLLs can also be loaded if a specific number of flags was provided.
Potential Password Reconnaissance Via Findstr.EXE
Detects command line usage of "findstr" to search for the "passwords" keyword in a variety of different languages
New Self Extracting Package Created Via IExpress.EXE
Detects the "iexpress.exe" utility creating self-extracting packages. Attackers where seen leveraging "iexpress" to compile packages on the fly via ".sed" files. Investigate the command line options provided to "iexpress" and in case of a ".sed" file, check the contents and legitimacy of it.
Microsoft Workflow Compiler Execution
Detects the execution of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.
CodePage Modification Via MODE.COM
Detects a CodePage modification using the "mode.com" utility. This behavior has been used by threat actors behind Dharma ransomware.
Net.EXE Execution
Detects execution of "Net.EXE".
SMB over QUIC Via Net.EXE
Detects the mounting of Windows SMB shares over QUIC, which can be an unexpected event in some enterprise environments.
Suspicious New Instance Of An Office COM Object
Detects an svchost process spawning an instance of an office application. This happens when the initial word application creates an instance of one of the Office COM objects such as 'Word.Application', 'Excel.Application', etc. This can be used by malicious actors to create malicious Office documents with macros on the fly. (See vba2clr project in the references)
Unusually Long PowerShell CommandLine
Detects unusually long PowerShell command lines with a length of 1000 characters or more
Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace
Detects the invocation of PowerShell commands with references to classes from the "System.Security.Cryptography" namespace. The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption. These can be used for example in decrypting malicious payload for defense evasion.
Import New Module Via PowerShell CommandLine
Detects usage of the "Import-Module" cmdlet in order to add new Cmdlets to the current PowerShell session
New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet
Detects calls to the "New-NetFirewallRule" cmdlet from PowerShell in order to add a new firewall rule with an "Allow" action.
Potentially Suspicious PowerShell Child Processes
Detects potentially suspicious child processes spawned by PowerShell. Use this rule to hunt for potential anomalies initiating from PowerShell scripts and commands.
Regsvr32.EXE Calling of DllRegisterServer Export Function Implicitly
Detects execution of regsvr32 with the silent flag and no other flags on a DLL located in an uncommon or potentially suspicious location. When Regsvr32 is called in such a way, it implicitly calls the DLL export function 'DllRegisterServer'.
Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions
Detects the execution of Action1 in order to execute arbitrary code or establish a remote session. Action1 is a powerful Remote Monitoring and Management tool that enables users to execute commands, scripts, and binaries. Through the web interface of action1, the administrator must create a new policy or an app to establish remote execution and then points that the agent is installed. Hunting Opportunity 1- Weed Out The Noise When threat actors execute a script, a command, or a binary through these new policies and apps, the names of these become visible in the command line during the execution process. Below is an example of the command line that contains the deployment of a binary through a policy with name "test_app_1": ParentCommandLine: "C:\WINDOWS\Action1\action1_agent.exe schedule:Deploy_App__test_app_1_1681327673425 runaction:0" After establishing a baseline, we can split the command to extract the policy name and group all the policy names and inspect the results with a list of frequency occurrences. Hunting Opportunity 2 - Remote Sessions On Out Of Office Hours If you have admins within your environment using remote sessions to administer endpoints, you can create a threat-hunting query and modify the time of the initiated sessions looking for abnormal activity.
Remote Access Tool - Ammy Admin Agent Execution
Detects the execution of the Ammy Admin RMM agent for remote management.
Remote Access Tool - Cmd.EXE Execution via AnyViewer
Detects execution of "cmd.exe" via the AnyViewer RMM agent on a remote management sessions.
Remote Access Tool - ScreenConnect Remote Command Execution - Hunting
Detects remote binary or command execution via the ScreenConnect Service. Use this rule in order to hunt for potentially anomalous executions originating from ScreenConnect
Rundll32.EXE Calling DllRegisterServer Export Function Explicitly
Detects when the DLL export function 'DllRegisterServer' is called in the commandline by Rundll32 explicitly where the DLL is located in a non-standard path.
Scheduled Task Creation From Potential Suspicious Parent Location
Detects the execution of "schtasks.exe" from a parent that is located in a potentially suspicious location. Multiple malware strains were seen exhibiting a similar behavior in order to achieve persistence.
SC.EXE Query Execution
Detects execution of "sc.exe" to query information about registered services on the system
Potential CommandLine Obfuscation Using Unicode Characters
Detects potential CommandLine obfuscation using unicode characters. Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
Potentially Suspicious Compression Tool Parameters
Detects potentially suspicious command line arguments of common data compression tools