Sigma Rules
2,824 rules found
Sliver C2 Default Service Installation
Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands
Service Installed By Unusual Client - System
Detects a service installed by a client which has PID 0 or whose parent has PID 0
Suspicious Service Installation
Detects suspicious service installation commands
PsExec Service Installation
Detects PsExec service installation and execution events
TacticalRMM Service Installation
Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool.
Tap Driver Installation
Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques
Uncommon Service Installation Image Path
Detects uncommon service installation commands by looking at suspicious or uncommon image path values containing references to encoded powershell commands, temporary paths, etc.
Windows Service Terminated With Error
Detects Windows services that got terminated for whatever reason
Important Windows Service Terminated With Error
Detects important or interesting Windows services that got terminated for whatever reason
Important Windows Service Terminated Unexpectedly
Detects important or interesting Windows services that got terminated unexpectedly.
RTCore Suspicious Service Installation
Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse
Service Installation in Suspicious Folder
Detects service installation in suspicious folder appdata
Service Installation with Suspicious Folder Pattern
Detects service installation with suspicious folder patterns
Suspicious Service Installation Script
Detects suspicious service installation scripts
Scheduled Task Executed From A Suspicious Location
Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task
Scheduled Task Executed Uncommon LOLBIN
Detects the execution of Scheduled Tasks where the program being run is located in a suspicious location or where it is an unusual program to be run from a Scheduled Task
Important Scheduled Task Deleted
Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities
Ngrok Usage with Remote Desktop Service
Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour
Mimikatz Use
This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
Windows Defender Grace Period Expired
Detects the expiration of the grace period of Windows Defender. This means protection against viruses, spyware, and other potentially unwanted software is disabled.
LSASS Access Detected via Attack Surface Reduction
Detects Access to LSASS Process
PSExec and WMI Process Creations Block
Detects blocking of process creations originating from PSExec and WMI commands
Windows Defender Exclusions Added
Detects the Setting of Windows Defender Exclusions
Windows Defender Exploit Guard Tamper
Detects when someone is adding or removing applications or folders from exploit guard "ProtectedFolders" or "AllowedApplications"
Windows Defender Submit Sample Feature Disabled
Detects disabling of the "Automatic Sample Submission" feature of Windows Defender.
Windows Defender Malware Detection History Deletion
Windows Defender logs when the history of detected infections is deleted.
Windows Defender Malware And PUA Scanning Disabled
Detects disabling of the Windows Defender feature of scanning for malware and other potentially unwanted software
Windows Defender AMSI Trigger Detected
Detects triggering of AMSI by Windows Defender.
Windows Defender Real-time Protection Disabled
Detects disabling of Windows Defender Real-time Protection. As this event doesn't contain a lot of information on who initiated this action you might want to reduce it to a "medium" level if this occurs too many times in your environment
Windows Defender Real-Time Protection Failure/Restart
Detects issues with Windows Defender Real-Time Protection features
Win Defender Restored Quarantine File
Detects the restoration of files from the defender quarantine
Windows Defender Configuration Changes
Detects suspicious changes to the Windows Defender configuration
Microsoft Defender Tamper Protection Trigger
Detects blocked attempts to change any of Defender's settings such as "Real Time Monitoring" and "Behavior Monitoring"
Windows Defender Threat Detected
Detects actions taken by Windows Defender malware detection engines
Windows Defender Virus Scanning Feature Disabled
Detects disabling of the Windows Defender virus scanning feature
WMI Persistence
Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.
HackTool - CACTUSTORCH Remote Thread Creation
Detects remote thread creation from CACTUSTORCH as described in references.
HackTool - Potential CobaltStrike Process Injection
Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons
Remote Thread Created In KeePass.EXE
Detects remote thread creation in "KeePass.exe" which could indicates potential password dumping activity
Remote Thread Creation In Mstsc.Exe From Suspicious Location
Detects remote thread creation in the "mstsc.exe" process by a process located in a potentially suspicious location. This technique is often used by attackers in order to hook some APIs used by DLLs loaded by "mstsc.exe" during RDP authentications in order to steal credentials.
Potential Credential Dumping Attempt Via PowerShell Remote Thread
Detects remote thread creation by PowerShell processes into "lsass.exe"
Remote Thread Creation Via PowerShell In Uncommon Target
Detects the creation of a remote thread from a Powershell process in an uncommon target process
Password Dumper Remote Thread in LSASS
Detects password dumper activity by monitoring remote thread creation EventID 8 in combination with the lsass.exe process as TargetImage. The process in field Process is the malicious program. A single execution can lead to hundreds of events.
Rare Remote Thread Creation By Uncommon Source Image
Detects uncommon processes creating remote threads.
Remote Thread Creation By Uncommon Source Image
Detects uncommon processes creating remote threads.
Remote Thread Creation In Uncommon Target Image
Detects uncommon target processes for remote thread creation
Remote Thread Creation Ttdinject.exe Proxy
Detects a remote thread creation of Ttdinject.exe used as proxy
Hidden Executable In NTFS Alternate Data Stream
Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash