Sigma Rules
515 rules found for "Red Canary"
HH.EXE Execution
Detects the execution of "hh.exe" to open ".chm" files.
Remote CHM File Download/Execution Via HH.EXE
Detects the usage of "hh.exe" to execute/download remotely hosted ".chm" files.
CobaltStrike Load by Rundll32
Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.
HackTool - WinRM Access Via Evil-WinRM
Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
HackTool - Hashcat Password Cracker Execution
Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against
HackTool - Pypykatz Credentials Dumping Activity
Detects the usage of "pypykatz" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored
HackTool - SharpView Execution
Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
HackTool - TruffleSnout Execution
Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.
HackTool - WinPwn Execution
Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
Suspicious Execution of Hostname
Use of hostname to get information
Disable Windows IIS HTTP Logging
Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)
Arbitrary File Download Via IMEWDBLD.EXE
Detects usage of "IMEWDBLD.exe" to download arbitrary files
InfDefaultInstall.exe .inf Execution
Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.
Suspicious Shells Spawn by Java Utility Keytool
Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)
Potential Manage-bde.wsf Abuse To Proxy Execution
Detects potential abuse of the "manage-bde.wsf" script as a LOLBIN to proxy execution
Mavinject Inject DLL Into Running Process
Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag
SyncAppvPublishingServer Execute Arbitrary PowerShell Code
Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.
SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code
Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs
Windows Defender Definition Files Removed
Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files
Suspicious JavaScript Execution Via Mshta.EXE
Detects execution of javascript code using "mshta.exe".
DllUnregisterServer Function Call Via Msiexec.EXE
Detects MsiExec loading a DLL and calling its DllUnregisterServer function
Suspicious MsiExec Embedding Parent
Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads
Suspicious Msiexec Execute Arbitrary DLL
Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)
Msiexec Quiet Installation
Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)
Windows MSIX Package Support Framework AI_STUBS Execution
Detects execution of Advanced Installer MSIX Package Support Framework (PSF) components, specifically AI_STUBS executables with original filename 'popupwrapper.exe'. This activity may indicate malicious MSIX packages build with Advanced Installer leveraging the Package Support Framework to bypass application control restrictions.
New Remote Desktop Connection Initiated Via Mstsc.EXE
Detects the usage of "mstsc.exe" with the "/v" flag to initiate a connection to a remote server. Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Msxsl.EXE Execution
Detects the execution of the MSXSL utility. This can be used to execute Extensible Stylesheet Language (XSL) files. These files are commonly used to describe the processing and rendering of data within XML files. Adversaries can abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.
Remote XSL Execution Via Msxsl.EXE
Detects the execution of the "msxsl" binary with an "http" keyword in the command line. This might indicate a potential remote execution of XSL files.
Suspicious Group And Account Reconnaissance Activity Using Net.EXE
Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)
Unmount Share Via Net.EXE
Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
Start Windows Service Via Net.EXE
Detects the usage of the "net.exe" command to start a service using the "start" flag
System Network Connections Discovery Via Net.EXE
Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
New User Created Via Net.EXE
Identifies the creation of local users via the net.exe command.
Share And Session Enumeration Using Net.EXE
Detects attempts to enumerate file shares, printer shares and sessions using "net.exe" with the "view" flag.
Firewall Disabled via Netsh.EXE
Detects netsh commands that turns off the Windows firewall
Netsh Allow Group Policy on Microsoft Defender Firewall
Adversaries may modify system firewalls in order to bypass controls limiting network usage
Firewall Configuration Discovery Via Netsh.EXE
Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
Potential Persistence Via Netsh Helper DLL
Detects the execution of netsh with "add helper" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.
Potential Recon Activity Via Nltest.EXE
Detects nltest commands that can be used for information discovery
New DLL Registered Via Odbcconf.EXE
Detects execution of "odbcconf" with "REGSVR" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs.
PDQ Deploy Remote Adminstartion Tool Execution
Detect use of PDQ Deploy remote admin tool
Audio Capture via PowerShell
Detects audio capture via PowerShell Cmdlet.
Powershell Base64 Encoded MpPreference Cmdlet
Detects base64 encoded "MpPreference" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV
Obfuscated PowerShell MSI Install via WindowsInstaller COM
Detects the execution of obfuscated PowerShell commands that attempt to install MSI packages via the Windows Installer COM object (`WindowsInstaller.Installer`). The technique involves manipulating strings to hide functionality, such as constructing class names using string insertion (e.g., 'indowsInstaller.Installer'.Insert(0,'W')) and correcting malformed URLs (e.g., converting 'htps://' to 'https://') at runtime. This behavior is commonly associated with malware loaders or droppers that aim to bypass static detection by hiding intent in runtime-generated strings and using legitimate tools for code execution. The use of `InstallProduct` and COM object creation, particularly combined with hidden window execution and suppressed UI, indicates an attempt to install software (likely malicious) without user interaction.
PowerShell MSI Install via WindowsInstaller COM From Remote Location
Detects the execution of PowerShell commands that attempt to install MSI packages via the Windows Installer COM object (`WindowsInstaller.Installer`) hosted remotely. This could be indication of malicious software deployment or lateral movement attempts using Windows Installer functionality. And the usage of WindowsInstaller COM object rather than msiexec could be an attempt to bypass the detection.
New Service Creation Using PowerShell
Detects the creation of a new service using powershell.
Powershell Defender Exclusion
Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets
Disable Windows Defender AV Security Monitoring
Detects attackers attempting to disable Windows Defender using Powershell