Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

889 rules found for "persistence"

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionhightest

Suspicious Get-Variable.exe Creation

Get-Variable is a valid PowerShell cmdlet WindowsApps is by default in the path where PowerShell is executed. So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.

WindowsFile Event
TA0004 · Privilege EscalationTA0003 · PersistenceT1546 · Event Triggered ExecutionTA0005 · Defense Evasion+1
François HubautSat Apr 23windows
Detectionmediumtest

PowerShell Profile Modification

Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence

WindowsFile Event
TA0003 · PersistenceTA0004 · Privilege EscalationT1546.013 · PowerShell Profile
HieuTT35+1Thu Oct 24windows
Detectionhightest

Suspicious File Creation Activity From Fake Recycle.Bin Folder

Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware

WindowsFile Event
TA0003 · PersistenceTA0005 · Defense Evasion
X__Junior (Nextron Systems)Wed Jul 12windows
Detectionhightest

Suspicious Startup Folder Persistence

Detects the creation of potentially malicious script and executable files in Windows startup folders, which is a common persistence technique used by threat actors. These files (.ps1, .vbs, .js, .bat, etc.) are automatically executed when a user logs in, making the Startup folder an attractive target for attackers. This technique is frequently observed in malvertising campaigns and malware distribution where attackers attempt to maintain long-term access to compromised systems.

WindowsFile Event
TA0004 · Privilege EscalationTA0002 · ExecutionT1204.002 · Malicious FileTA0003 · Persistence+1
Nasreddine Bencherchali (Nextron Systems)+1Wed Aug 10windows
Detectionhightest

Suspicious Scheduled Task Write to System32 Tasks

Detects the creation of tasks from processes executed from suspicious locations

WindowsFile Event
TA0004 · Privilege EscalationTA0003 · PersistenceTA0002 · ExecutionT1053 · Scheduled Task/Job
Florian Roth (Nextron Systems)Tue Nov 16windows
Detectionmediumtest

VsCode Powershell Profile Modification

Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence

WindowsFile Event
TA0003 · PersistenceTA0004 · Privilege EscalationT1546.013 · PowerShell Profile
Nasreddine Bencherchali (Nextron Systems)Wed Aug 24windows
Detectionmediumtest

Windows Terminal Profile Settings Modification By Uncommon Process

Detects the creation or modification of the Windows Terminal Profile settings file "settings.json" by an uncommon process.

WindowsFile Event
TA0004 · Privilege EscalationTA0003 · PersistenceT1547.015 · Login Items
François Hubaut+1Sat Jul 22windows
Detectionhightest

Process Explorer Driver Creation By Non-Sysinternals Binary

Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself. Hack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards.

WindowsFile Event
TA0003 · PersistenceTA0004 · Privilege EscalationT1068 · Exploitation for Privilege Escalation
Florian Roth (Nextron Systems)Fri May 05windows
Detectionmediumtest

Process Monitor Driver Creation By Non-Sysinternals Binary

Detects creation of the Process Monitor driver by processes other than Process Monitor (procmon) itself.

WindowsFile Event
TA0003 · PersistenceTA0004 · Privilege EscalationT1068 · Exploitation for Privilege Escalation
Nasreddine Bencherchali (Nextron Systems)Fri May 05windows
Detectionhightest

PSEXEC Remote Execution File Artefact

Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system

WindowsFile Event
TA0008 · Lateral MovementTA0004 · Privilege EscalationTA0002 · ExecutionTA0003 · Persistence+4
Nasreddine Bencherchali (Nextron Systems)Sat Jan 21windows
Detectionhightest

Potential Privilege Escalation Attempt Via .Exe.Local Technique

Detects potential privilege escalation attempt via the creation of the "*.Exe.Local" folder inside the "System32" directory in order to sideload "comctl32.dll"

WindowsFile Event
TA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege Escalation
Nasreddine Bencherchali (Nextron Systems)+1Fri Dec 16windows
Detectionmediumtest

Potential Webshell Creation On Static Website

Detects the creation of files with certain extensions on a static web site. This can be indicative of potential uploads of a web shell.

WindowsFile Event
TA0003 · PersistenceT1505.003 · Web Shell
Beyu Denis+3Tue Oct 22windows
Detectionmediumtest

Creation of WerFault.exe/Wer.dll in Unusual Folder

Detects the creation of a file named "WerFault.exe" or "wer.dll" in an uncommon folder, which could be a sign of WerFault DLL hijacking.

WindowsFile Event
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking
François HubautMon May 09windows
Detectionhighexperimental

WinRAR Creating Files in Startup Locations

Detects WinRAR creating files in Windows startup locations, which may indicate an attempt to establish persistence by adding malicious files to the Startup folder. This kind of behaviour has been associated with exploitation of WinRAR path traversal vulnerability CVE-2025-6218 or CVE-2025-8088.

WindowsFile Event
TA0004 · Privilege EscalationTA0003 · PersistenceT1547.001 · Registry Run Keys / Startup Folder
Swachchhanda Shrawan Poudel (Nextron Systems)Wed Jul 16windows
Detectionhightest

WMI Persistence - Script Event Consumer File Write

Detects file writes of WMI script event consumer

WindowsFile Event
TA0004 · Privilege EscalationT1546.003 · Windows Management Instrumentation Event SubscriptionTA0003 · Persistence
Thomas PatzkeWed Mar 07windows
Detectionhightest

UEFI Persistence Via Wpbbin - FileCreation

Detects creation of a file named "wpbbin" in the "%systemroot%\system32\" directory. Which could be indicative of UEFI based persistence method

WindowsFile Event
TA0003 · PersistenceTA0005 · Defense EvasionT1542.001 · System Firmware
Nasreddine Bencherchali (Nextron Systems)Mon Jul 18windows
Detectionmediumtest

Writing Local Admin Share

Aversaries may use to interact with a remote network share using Server Message Block (SMB). This technique is used by post-exploitation frameworks.

WindowsFile Event
TA0004 · Privilege EscalationTA0003 · PersistenceTA0008 · Lateral MovementT1546.002 · Screensaver
François HubautSat Jan 01windows
Detectionlowtest

Potential Azure Browser SSO Abuse

Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user.

WindowsImage Load (DLL)
TA0003 · PersistenceTA0005 · Defense EvasionTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
Den IuzvykWed Jul 15windows
Detectionmediumexperimental

Unsigned .node File Loaded

Detects the loading of unsigned .node files. Adversaries may abuse a lack of .node integrity checking to execute arbitrary code inside of trusted applications such as Slack. .node files are native add-ons for Electron-based applications, which are commonly used for desktop applications like Slack, Discord, and Visual Studio Code. This technique has been observed in the DripLoader malware, which uses unsigned .node files to load malicious native code into Electron applications.

WindowsImage Load (DLL)
TA0002 · ExecutionTA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense Evasion+3
Jonathan BeierleSat Nov 22windows
Detectionmediumtest

Microsoft VBA For Outlook Addin Loaded Via Outlook

Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process

WindowsImage Load (DLL)
TA0002 · ExecutionT1204.002 · Malicious File
Nasreddine Bencherchali (Nextron Systems)Wed Feb 08windows
Detectionmediumtest

WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load

Detects signs of the WMI script host process "scrcons.exe" loading scripting DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity.

WindowsImage Load (DLL)
TA0008 · Lateral MovementTA0004 · Privilege EscalationTA0003 · PersistenceT1546.003 · Windows Management Instrumentation Event Subscription
Roberto Rodriguez (Cyb3rWard0g)+1Wed Sep 02windows
Detectionlowtest

Potential 7za.DLL Sideloading

Detects potential DLL sideloading of "7za.dll"

WindowsImage Load (DLL)
TA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
X__JuniorFri Jun 09windows
Detectionmediumtest

Potential Antivirus Software DLL Sideloading

Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc

WindowsImage Load (DLL)
TA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
Nasreddine Bencherchali (Nextron Systems)+1Wed Aug 17windows
Detectionhightest

Potential appverifUI.DLL Sideloading

Detects potential DLL sideloading of "appverifUI.dll"

WindowsImage Load (DLL)
TA0003 · PersistenceTA0005 · Defense EvasionTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
X__Junior (Nextron Systems)Tue Jun 20windows
Detectionhightest

Aruba Network Service Potential DLL Sideloading

Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking

WindowsImage Load (DLL)
TA0005 · Defense EvasionTA0004 · Privilege EscalationTA0003 · PersistenceT1574.001 · DLL Search Order Hijacking
Nasreddine Bencherchali (Nextron Systems)Sun Jan 22windows
Detectionmediumtest

Potential AVKkid.DLL Sideloading

Detects potential DLL sideloading of "AVKkid.dll"

WindowsImage Load (DLL)
TA0003 · PersistenceTA0005 · Defense EvasionTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
X__Junior (Nextron Systems)Thu Aug 03windows
Detectionmediumtest

Potential CCleanerDU.DLL Sideloading

Detects potential DLL sideloading of "CCleanerDU.dll"

WindowsImage Load (DLL)
TA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
X__Junior (Nextron Systems)Thu Jul 13windows
Detectionmediumtest

Potential CCleanerReactivator.DLL Sideloading

Detects potential DLL sideloading of "CCleanerReactivator.dll"

WindowsImage Load (DLL)
TA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
X__JuniorThu Jul 13windows
Detectionmediumtest

Potential Chrome Frame Helper DLL Sideloading

Detects potential DLL sideloading of "chrome_frame_helper.dll"

WindowsImage Load (DLL)
TA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
Nasreddine Bencherchali (Nextron Systems)+1Wed Aug 17windows
Detectionmediumtest

Potential DLL Sideloading Via ClassicExplorer32.dll

Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software

WindowsImage Load (DLL)
TA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
François HubautTue Dec 13windows
Detectionhightest

Potential DLL Sideloading Via comctl32.dll

Detects potential DLL sideloading using comctl32.dll to obtain system privileges

WindowsImage Load (DLL)
TA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
Nasreddine Bencherchali (Nextron Systems)+1Fri Dec 16windows
Detectionhightest

System Control Panel Item Loaded From Uncommon Location

Detects image load events of system control panel items (.cpl) from uncommon or non-system locations that may indicate DLL sideloading or other abuse techniques.

WindowsImage Load (DLL)
TA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
Anish BogatiTue Jan 09windows
Detectionmediumtest

Potential DLL Sideloading Of DBGCORE.DLL

Detects DLL sideloading of "dbgcore.dll"

WindowsImage Load (DLL)
TA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
Nasreddine Bencherchali (Nextron Systems)+1Tue Oct 25windows
Detectionmediumtest

Potential DLL Sideloading Of DBGHELP.DLL

Detects potential DLL sideloading of "dbghelp.dll"

WindowsImage Load (DLL)
TA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
Nasreddine Bencherchali (Nextron Systems)+1Tue Oct 25windows
Detectionmediumtest

Potential DLL Sideloading Of DbgModel.DLL

Detects potential DLL sideloading of "DbgModel.dll"

WindowsImage Load (DLL)
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking
Gary LobermierThu Jul 11windows
Detectionhightest

Potential EACore.DLL Sideloading

Detects potential DLL sideloading of "EACore.dll"

WindowsImage Load (DLL)
TA0003 · PersistenceTA0005 · Defense EvasionTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
X__Junior (Nextron Systems)Thu Aug 03windows
Detectionhightest

Potential Edputil.DLL Sideloading

Detects potential DLL sideloading of "edputil.dll"

WindowsImage Load (DLL)
TA0003 · PersistenceTA0005 · Defense EvasionTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
X__Junior (Nextron Systems)Fri Jun 09windows
Detectionhightest

Potential System DLL Sideloading From Non System Locations

Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).

WindowsImage Load (DLL)
TA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
Nasreddine Bencherchali (Nextron Systems)Sun Aug 14windows
Detectionmediumtest

Potential Goopdate.DLL Sideloading

Detects potential DLL sideloading of "goopdate.dll", a DLL used by googleupdate.exe

WindowsImage Load (DLL)
TA0003 · PersistenceTA0005 · Defense EvasionTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
X__Junior (Nextron Systems)+1Mon May 15windows
Detectionmediumtest

Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE

Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location

WindowsImage Load (DLL)
TA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
Nasreddine Bencherchali (Nextron Systems)Fri May 05windows
Detectionhightest

Potential Iviewers.DLL Sideloading

Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer)

WindowsImage Load (DLL)
TA0003 · PersistenceTA0005 · Defense EvasionTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
X__Junior (Nextron Systems)Tue Mar 21windows
Detectionhighexperimental

Potential JLI.dll Side-Loading

Detects potential DLL side-loading of jli.dll. JLI.dll has been observed being side-loaded by Java processes by various threat actors, including APT41, XWorm, and others in order to load malicious payloads in context of legitimate Java processes.

WindowsImage Load (DLL)
TA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
Swachchhanda Shrawan Poudel (Nextron Systems)Fri Jul 25windows
Detectionmediumtest

Potential DLL Sideloading Via JsSchHlp

Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor

WindowsImage Load (DLL)
TA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
François HubautWed Dec 14windows
Detectionhightest

Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE

Detects potential DLL side loading of "KeyScramblerIE.dll" by "KeyScrambler.exe". Various threat actors and malware have been found side loading a masqueraded "KeyScramblerIE.dll" through "KeyScrambler.exe".

WindowsImage Load (DLL)
TA0003 · PersistenceTA0005 · Defense EvasionTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
Swachchhanda Shrawan PoudelMon Apr 15windows
Detectionmediumtest

Potential Libvlc.DLL Sideloading

Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe"

WindowsImage Load (DLL)
TA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
X__JuniorMon Apr 17windows
Detectionmediumtest

Potential Mfdetours.DLL Sideloading

Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.

WindowsImage Load (DLL)
TA0003 · PersistenceTA0005 · Defense EvasionTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
Nasreddine Bencherchali (Nextron Systems)Thu Aug 03windows
Detectionhightest

Unsigned Mfdetours.DLL Sideloading

Detects DLL sideloading of unsigned "mfdetours.dll". Executing "mftrace.exe" can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.

WindowsImage Load (DLL)
TA0003 · PersistenceTA0005 · Defense EvasionTA0004 · Privilege EscalationT1574.001 · DLL Search Order Hijacking
Nasreddine Bencherchali (Nextron Systems)Fri Aug 11windows
Detectionmediumtest

Potential DLL Sideloading Of MpSvc.DLL

Detects potential DLL sideloading of "MpSvc.dll".

WindowsImage Load (DLL)
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionT1574.001 · DLL Search Order Hijacking
Nasreddine Bencherchali (Nextron Systems)+1Thu Jul 11windows
178919