Sigma Rules
801 rules found for "privilege-escalation"
Potential Waveedit.DLL Sideloading
Detects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software.
Potential Wazuh Security Platform DLL Sideloading
Detects potential DLL side loading of DLLs that are part of the Wazuh security platform
Potential Mpclient.DLL Sideloading
Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.
Potential WWlib.DLL Sideloading
Detects potential DLL sideloading of "wwlib.dll"
Unsigned Module Loaded by ClickOnce Application
Detects unsigned module load by ClickOnce application.
DotNet CLR DLL Loaded By Scripting Applications
Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.
Suspicious Unsigned Thor Scanner Execution
Detects loading and execution of an unsigned thor scanner binary.
UAC Bypass Using Iscsicpl - ImageLoad
Detects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%
UAC Bypass With Fake DLL
Attempts to load dismcore.dll after dropping it
Trusted Path Bypass via Windows Directory Spoofing
Detects DLLs loading from a spoofed Windows directory path with an extra space (e.g "C:\Windows \System32") which can bypass Windows trusted path verification. This technique tricks Windows into treating the path as trusted, allowing malicious DLLs to load with high integrity privileges bypassing UAC.
WMI Persistence - Command Line Event Consumer
Detects WMI command line event consumers
Network Connection Initiated Via Notepad.EXE
Detects a network connection that is initiated by the "notepad.exe" process. This might be a sign of process injection from a beacon process or something similar. Notepad rarely initiates a network communication except when printing documents for example.
Microsoft Sync Center Suspicious Network Connections
Detects suspicious connections from Microsoft Sync Center to non-private IPs.
CobaltStrike Named Pipe
Detects the creation of a named pipe as used by CobaltStrike
CobaltStrike Named Pipe Pattern Regex
Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles
CobaltStrike Named Pipe Patterns
Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles
HackTool - CoercedPotato Named Pipe Creation
Detects the pattern of a pipe name as used by the hack tool CoercedPotato
HackTool - DiagTrackEoP Default Named Pipe
Detects creation of default named pipe used by the DiagTrackEoP POC, a tool that abuses "SeImpersonate" privilege.
HackTool - EfsPotato Named Pipe Creation
Detects the pattern of a pipe name as used by the hack tool EfsPotato
HackTool - Koh Default Named Pipe
Detects creation of default named pipes used by the Koh tool
Malicious Named Pipe Created
Detects the creation of a named pipe seen used by known APTs or malware.
Suspicious PowerShell Invocations - Specific - PowerShell Module
Detects suspicious PowerShell invocation command parameters
Suspicious Computer Machine Password by PowerShell
The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain. You can use it to reset the password of the local computer.
Powershell Create Scheduled Task
Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code
Registry-Free Process Scope COR_PROFILER
Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR. (Citation: Microsoft Profiling Mar 2017) (Citation: Microsoft COR_PROFILER Feb 2013)
DMSA Service Account Created in Specific OUs - PowerShell
Detects the creation of a dMSA service account using the New-ADServiceAccount cmdlet in certain OUs. The fact that the cmdlet is used to create a dMSASvc account in a specific OU is highly suspicious. It is a pattern trying to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025. On top of that, if the user that is creating the dMSASvc account is not a legitimate administrator or does not have the necessary permissions, it is a strong signal of an attempted or successful abuse of the BaDSuccessor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment.
Service Registry Permissions Weakness Check
Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
HackTool - WinPwn Execution - ScriptBlock
Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
Powershell LocalAccount Manipulation
Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups
DMSA Link Attributes Modified
Detects modification of dMSA link attributes (msDS-ManagedAccountPrecededByLink) via PowerShell scripts. This command line pattern could be an indicator an attempt to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025.
Modify Group Policy Settings - ScriptBlockLogging
Detect malicious GPO modifications can be used to implement many other malicious behaviors.
PowerShell ShellCode
Detects Base64 encoded Shellcode
Potential Persistence Via Security Descriptors - ScriptBlock
Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.
Suspicious GetTypeFromCLSID ShellExecute
Detects suspicious Powershell code that execute COM Objects
Suspicious PowerShell Invocations - Specific
Detects suspicious PowerShell invocation command parameters
Suspicious Service DACL Modification Via Set-Service Cmdlet - PS
Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
Potential Persistence Via PowerShell User Profile Using Add-Content
Detects calls to "Add-Content" cmdlet in order to modify the content of the user profile and potentially adding suspicious commands for persistence
Abuse of Service Permissions to Hide Services Via Set-Service - PS
Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
Registry Modification Attempt Via VBScript - PowerShell
Detects attempts to modify the registry using VBScript's CreateObject("Wscript.shell") and RegWrite methods embedded within PowerShell scripts or commands. Threat actors commonly embed VBScript code within PowerShell to perform registry modifications, attempting to evade detection that monitors for direct registry access through traditional tools. This technique can be used for persistence, defense evasion, and privilege escalation by modifying registry keys without using regedit.exe, reg.exe, or PowerShell's native registry cmdlets.
Winlogon Helper DLL
Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables.
Powershell WMI Persistence
Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.
WMIC Unquoted Services Path Lookup - PowerShell
Detects known WMI recon method to look for unquoted service paths, often used by pentest inside of powershell scripts attackers enum scripts
HackTool - LittleCorporal Generated Maldoc Injection
Detects the process injection of a LittleCorporal generated Maldoc.
Uncommon Process Access Rights For Target Image
Detects process access request to uncommon target images with a "PROCESS_ALL_ACCESS" access mask.
Credential Dumping Attempt Via Svchost
Detects when a process tries to access the memory of svchost to potentially dump credentials.
Function Call From Undocumented COM Interface EditionUpgradeManager
Detects function calls from the EditionUpgradeManager COM interface. Which is an interface that is not used by standard executables.
UAC Bypass Using WOW64 Logger DLL Hijack
Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)
Interactive AT Job
Detects an interactive AT job, which may be used as a form of privilege escalation.