Sigma Rules
254 rules found for "attack.T1218"
Hidden Flag Set On File/Directory Via Chflags - MacOS
Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS. When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers.
MSI Installation From Web
Detects installation of a remote msi file from web.
HackTool - CACTUSTORCH Remote Thread Creation
Detects remote thread creation from CACTUSTORCH as described in references.
Remote Thread Creation Via PowerShell In Uncommon Target
Detects the creation of a remote thread from a Powershell process in an uncommon target process
DNS Query Request By Regsvr32.EXE
Detects DNS queries initiated by "Regsvr32.exe"
Suspicious DotNET CLR Usage Log Artifact
Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.
SCR File Write Event
Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example.
Self Extraction Directive File Created In Potentially Suspicious Location
Detects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location. These files are used by the "iexpress.exe" utility in order to create self extracting packages. Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries.
Created Files by Microsoft Sync Center
This rule detects suspicious files created by Microsoft Sync Center (mobsync)
Legitimate Application Dropped Archive
Detects programs on a Windows system that should not write an archive to disk
Legitimate Application Dropped Executable
Detects programs on a Windows system that should not write executables to disk
Legitimate Application Writing Files In Uncommon Location
Detects legitimate applications writing any type of file to uncommon or suspicious locations that are not typical for application data storage or execution. Adversaries may leverage legitimate applications (Living off the Land Binaries - LOLBins) to drop or download malicious files to uncommon locations on the system to evade detection by security solutions.
Legitimate Application Dropped Script
Detects programs on a Windows system that should not write scripts to disk
Potentially Suspicious Self Extraction Directive File Created
Detects the creation of a binary file with the ".sed" extension. The ".sed" extension stand for Self Extraction Directive files. These files are used by the "iexpress.exe" utility in order to create self extracting packages. Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries. Usually ".sed" files are simple ini files and not PE binaries.
DLL Loaded From Suspicious Location Via Cmspt.EXE
Detects cmstp loading "dll" or "ocx" files from suspicious locations
Time Travel Debugging Utility Usage - Image
Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
Potential DLL Sideloading Using Coregen.exe
Detect usage of the "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.
BaaUpdate.exe Suspicious DLL Load
Detects BitLocker Access Agent Update Utility (baaupdate.exe) loading DLLs from suspicious locations that are publicly writable which could indicate an attempt to lateral movement via BitLocker DCOM & COM Hijacking. This technique abuses COM Classes configured as INTERACTIVE USER to spawn processes in the context of the logged-on user's session. Specifically, it targets the BDEUILauncher Class (CLSID ab93b6f1-be76-4185-a488-a9001b105b94) which can launch BaaUpdate.exe, which is vulnerable to COM Hijacking when started with input parameters. This allows attackers to execute code in the user's context without needing to steal credentials or use additional techniques to compromise the account.
Unsigned DLL Loaded by Windows Utility
Detects windows utilities loading an unsigned or untrusted DLL. Adversaries often abuse those programs to proxy execution of malicious code.
MMC Loading Script Engines DLLs
Detects when the Microsoft Management Console (MMC) loads the DLL libraries like vbscript, jscript etc which might indicate an attempt to execute malicious scripts within a trusted system process for bypassing application whitelisting or defense evasion.
Network Connection Initiated By AddinUtil.EXE
Detects a network connection initiated by the Add-In deployment cache updating utility "AddInutil.exe". This could indicate a potential command and control communication as this tool doesn't usually initiate network activity.
Outbound Network Connection Initiated By Cmstp.EXE
Detects a network connection initiated by Cmstp.EXE Its uncommon for "cmstp.exe" to initiate an outbound network connection. Investigate the source of such requests to determine if they are malicious.
RegAsm.EXE Initiating Network Connection To Public IP
Detects "RegAsm.exe" initiating a network connection to public IP adresses
Network Connection Initiated By Regsvr32.EXE
Detects a network connection initiated by "Regsvr32.exe"
Rundll32 Internet Connection
Detects a rundll32 that communicates with public IP addresses
Microsoft Sync Center Suspicious Network Connections
Detects suspicious connections from Microsoft Sync Center to non-private IPs.
Outbound Network Connection To Public IP Via Winlogon
Detects a "winlogon.exe" process that initiate network communications with public IP addresses
Potentially Suspicious Wuauclt Network Connection
Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making network connections. One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.
Potential RemoteFXvGPUDisablement.EXE Abuse
Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module
Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
SyncAppvPublishingServer Bypass Powershell Restriction - PS Module
Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.
Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock
Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
SyncAppvPublishingServer Execution to Bypass Powershell Restriction
Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.
PowerShell WMI Win32_Product Install MSI
Detects the execution of an MSI file using PowerShell and the WMI Win32_Product class
CMSTP Execution Process Access
Detects various indicators of Microsoft Connection Manager Profile Installer execution
Suspicious AddinUtil.EXE CommandLine Execution
Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with suspicious Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.
Uncommon Child Process Of AddinUtil.EXE
Detects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store payload.
Uncommon AddinUtil.EXE CommandLine Execution
Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.
AddinUtil.EXE Execution From Uncommon Directory
Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory.
AgentExecutor PowerShell Execution
Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument
Suspicious AgentExecutor PowerShell Execution
Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument
Uncommon Child Process Of Appvlp.EXE
Detects uncommon child processes of Appvlp.EXE Appvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse "AppVLP" to execute shell commands. Normally, this binary is used for Application Virtualization, but it can also be abused to circumvent the ASR file path rule folder or to mark a file as a system file.
Uncommon Assistive Technology Applications Execution Via AtBroker.EXE
Detects the start of a non built-in assistive technology applications via "Atbroker.EXE".
Suspicious BitLocker Access Agent Update Utility Execution
Detects the execution of the BitLocker Access Agent Update Utility (baaupdate.exe) which is not a common parent process for other processes. Suspicious child processes spawned by baaupdate.exe could indicate an attempt at lateral movement via BitLocker DCOM & COM Hijacking.
Suspicious Child Process Of BgInfo.EXE
Detects suspicious child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
Uncommon Child Process Of BgInfo.EXE
Detects uncommon child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
BitLockerTogo.EXE Execution
Detects the execution of "BitLockerToGo.EXE". BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of, USB flash drives, SD cards, External hard disk drives, Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system. This is a rarely used application and usage of it at all is worth investigating. Malware such as Lumma stealer has been seen using this process as a target for process hollowing.
Potential Binary Proxy Execution Via Cdb.EXE
Detects usage of "cdb.exe" to launch arbitrary processes or commands from a debugger script file